IOS Local User Database

Usernames and passwords

Custom usernames and passwords can be set up.

There are various ways of doing this, including relying on remote servers.

However, another way is to use the “local database”, which basically means that the usernames and passwords are stored in the running-config. Some qutoes from Cicso's official Cisco's “CCNA Security” certification book: “The local database is a fancy way of reerring to user accounts that are created on the local router and are part of the running configuration.” (That is from about location 2430 of 15172 from Kindle eBook.) “The database that contains the usernames and passwords is the running configuration of the router or IOS device, and from a AAA perspective is referred to as the local database on the router. So, if you create a user locally on the router, you can also say that you created a user in the local database of the router. It is the same thing.” (“AAA” is presumably pronounced as “Triple A”, hence this is not cited as a grammatical error for “a AAA”. From about Location 2471 of 15172 from Kindle eBook.)

As a quick side note, a command called “aaa new-model” may enable some alternate syntax (as the author of this text is currently understanding things). That may be documented more in some training material geared towards the “CCNA Security” certification.

For now, though, this guide will show some simpler syntax:

[#iosusrdb]: Creating and using a local user security configuration/database

Someone, somewhere, may reference a Cisco device's “local database” for storing user accounts. This “database” is actaully in a format that is extremely simple for trained Cisco engineers to understand: the format is simply the Cisco running-config configuraiton file. This “database” doesn't have data stored in a seperate file on the device. It simply refers to the configuration commands that relate to setting up the user accounts.

Before setting up the user account(s), the following line is optional:

deviceName>enable
deviceName#config terminal
deviceName(config)#security passwords min-length 8

This specifies a minimum password length for new passwords created after this line starts taking effect. So it makes sense to start with this line. (Ciscio IOS documentation on for “security passwords min-length notes 12.3(1) is when this was released. Cisco Network Academy CCNA training “Exploration 4” training, slide 4.2.3.2 has identified that this command became available in “Cisco IOS Software Release 12.3(1) and later”.)

To set up a user account in the local database, the general syntax is:

deviceName>enable
deviceName#config terminal
deviceName(config)#username myUsrNam privilege # passwordDetails

... where:

  • myUsrNam is intended to be customized. This is the name of the user to create.
  • # must be customized. This is a number representing the privilege level that the user can escalate up to. The range is 1 - 15. A user will have access to all commands permitted by the specified privilege level, and all lower levels. Commands require a privilege level of either 1 or 15 (always? Or just usually?), but can be customized to max out at a different privilege level.
  • passwordDetails must be customized. Using the word “ secret ”. as shown in the following example is recommended. However, using the word “ passwordDetails ” is also legal syntax. If the word “ secret ” is used, then the next parameter is a number that represents what kind of “encryption” level is used.

e.g.:

deviceName>enable
deviceName#config terminal
deviceName(config)#username admin privilege 15 secret 0 plainTextPassword

The “secret 0” indicates that the password will be typed as plaintext on the command line. The next example shows the less recommended syntax (which is older?) which permitted even less secure password handling.

deviceName>enable
deviceName#config terminal
deviceName(config)#username insecure privilege 15 password plainTextPassword

Now that some examples have been showing the general syntax, a closer look at specifying the password details is in order.

Cisco password encryption types

(This topic was noted as being covered by Cisco Network Academy CCNA training “Exploration 4” slide “4.2.3.2”. That information may be helpful for anybody with current access to Cisco's CCNA training material, which has been made available to people who signed up for college courses that use official Cisco training material.)

type zero

0 is plaintext.

type 7

Cisco authentication IOS documentation: passwords other than “enable secret”-style passwords states, “If that digit is a 7, the password has been encrypted using the weak algorithm.” Perhaps even worse, earlier the section notes, “Almost all passwords and other authentication strings in Cisco IOS configuration files are encrypted using the weak, reversible scheme used for user passwords.”

Cisco Network Academy CCNA training Exploration 4 slide 4.2.3.2 notes 7 represents “Simple encryption called a type 7 scheme. It uses the Cisco-defined encryption algorithm and will hide the password using a simple encryption algorithm.” ... “It does not offer very much protection as it only hides the password using a simple encryption algorithm. Although not as secure as the type 5 encryption, it is still better than no encryption.” Note: In hind-sight, MD5 is widely viewed as being quite insufficient security, the reversible type 7 is probably really very insecure...

Type 7 Decryption in Cisco IOS shows an example of reversing this style of encryption. First, figure out the hash. Then, use the following:

deviceName(config)#key chain decrypt
deviceName(config-keychain)#key 1
deviceName(config-keychain)#key-string passwordDetails

The “passwordDetails” would be something like the type number (number 7), a space, and the hash, as shown on the username command that was run and is visible in the running-config.

An example of this is shown by Type 7 Decryption in Cisco IOS.

After running the above commands, results may be seen by running:

do show key chain decrypt

So, even the router provides the ability to show a decrypted version of the hashes made with this reversible encryption scheme. Obviously, this encryption method will not stop a determined attacker who has obtained a password hash and who knows what to do with it.

Consider this method to be mostly useless: only slightly more secure than plaintext, primarily because the hashes may be harder to memorize by a person who might happen to glance at a computer screen. However, a person who can record the hashes can effectively get to the password.

Type 5

Type 5 uses MD5 encryption. Some Cisco documentation has described this as being the “secure” style of password. Well, MD5 is no longer commonly thought of as a secure algorithm.

Type 6

This may be supported by even fewer devices than type 5, but has been seen documented: Cisco IOS security documentation: Type 6 encryption describes this encryption type as “secure reversible passwords”.

Then, after the usernames and passwords are set up in the local configuration/database, the local user/password database/configuration may need to start being used. Otherwise, all that work accomplished nothing. This gets enabled on a line-by-line method, as shown in the below example.

deviceName>enable
deviceName#config terminal
deviceName(config)#enable secret level 15 0 plainTextPassword
deviceName(config)#security passwords min-length 8
deviceName(config)#username admin privilege 15 password plainTextPassword
deviceName(config)#username admintwo privilege 15 password plainTxtPw
deviceName(config)#line console 0
deviceName(config-if)#login local
deviceName(config-if)#line vty 0 4
deviceName(config-if)#login local
deviceName(config-if)#line aux 0
deviceName(config-if)#login local
deviceName(config-if)#end
deviceName#show run

Note: it is recognized that these notes don't entirely clarify what this line is for:

deviceName(config)#enable secret level 15 0 plainTextPassword

That might be a command related to using the AAA model which slipped in, or an error in notes which effectively combined a command with part of another command.

(Note: The commands to add a user are also documented at: adding a user to a Cisco IOS device. At the time of this writing, that section does not have as many details about creating users as what was presented in this local user database section.)

Disabling unwanted users

Devices that come with Cisco Configuration Professional Express pre-installed may have a default account called “cisco” that has a well-known password (which is the same as the username: “cisco”). This may be fine for certain types of setups, such as educational environments (where it is good for students and instructors to be able to log on easily) or public networks that are intended to let people adjust equipment (which may not be very common, but such networks have been created). However, even in such environments, using a documented alternative is probably a good habit, to keep people in the habit of not allowing the password that is widely known (including by people who may not have been taught any guidelines that a particular network may have). So, disbling the default account is generally recommendable.

To see what usernames currently exist:

Info may currently be unavailable... perhaps it will be added soon to:... listing users

To remove a user

...Info may currently be unavailable... perhaps it will be added soon to: ... (info should be placed, now or in the future, at: deleting users/disabling users.

Presumably the “no” command would work well...

Seeing who is logged in

See: who to see who is logged in.

See: “ show session ” to show established TCP connections where an SSH protocol is being used to communicate directly with the device.

show users