7 Replies Latest reply on Jan 27, 2014 6:26 PM by bascheew

    Password Encryption on system usernames only

    bascheew New Member

      I noticed that the passwords for the admins was not encrypted by default on a 7100 so I ran "service password-encryption" and this encrypted them just fine.  However this also encrypted all of the SIP user passwords as well, and in the GUI the SIP user password field is masked out.  Is there a way to only encrypt the admin user passwords and not the SIP user passwords?  If not I'd request a feature to allow password encryption to be granular per user.  I don't want to document each random 16 character password outside of taking a copy of the config!

       

      -Thank you!

        • Re: Password Encryption on system usernames only
          jayh Hall_of_Fame

          Why do you want them visible in plain text?  Compromised SIP user credentials can generate some rather large phone bills in a short period of time.  If the phones pull their configs from the 7100 then you should never need to see them.  For softphones, etc. enter them and record.  If lost then just re-enter a new one.

            • Re: Password Encryption on system usernames only
              Employee

              These passwords are encrypted for added security.  As jayh mentioned you can reset the SIP Auth Password if needed.  To do this, navigate to Voice > User Accounts > select the desired extension and click Edit > then on the General tab click the Generate random password button.  When you do this you will be able to see the new password in case you need to document it, but it will be hidden from this screen after you apply it.  After clicking Apply at the bottom,  you will need to reboot the associated phone.

              SIP_password.jpg

               

              If you still want to create a Feature Request, you can in the Feature Requests (NV-7000) area.

               

              Thanks,

              Matt

              • Re: Password Encryption on system usernames only
                bascheew New Member

                Well since we're talking about security -- the SIP passwords are stored in the "ext-macAddressHere.cfg" file and they are plain text there.  When the phone picks up it's config from the 7100 am I not correct that it's using FTP for the transport?  (That's what the logs show anyway.)  So someone with a hub (or port mirror) along with a packet sniffer could see those files as they cross the wire.  I would argue that's an easier hack than getting your hands on the running config!  Another easy hack with physical access is pulling the CF card and copying it to get all the passwords from the phone config files.  Since only admins have access to the config of the router via a username and password I'm ok with the SIP passwords remaining visible in the config.  But for now I will just pull them from the phone configs.  Which by the way you can get from the GUI under Voice -> IP Phone Configs -> Pick your phone -> click the wrench at the top right -> Show Password.

                Capture.PNG

                So one more question then.  Is it possible to remove the enable password and just use local user authentication?  When I removed the enable password and logged back in and type "enable" the router tells me "No privileged mode password set" and won't let me in.  Having one common enable password for a team of technicians is not preferable.


                Thanks guys!

                  • Re: Password Encryption on system usernames only
                    jayh Hall_of_Fame

                    bascheew wrote:

                     

                    Well since we're talking about security -- the SIP passwords are stored in the "ext-macAddressHere.cfg" file and they are plain text there.  When the phone picks up it's config from the 7100 am I not correct that it's using FTP for the transport?  (That's what the logs show anyway.)  So someone with a hub (or port mirror) along with a packet sniffer could see those files as they cross the wire.  I would argue that's an easier hack than getting your hands on the running config!  Another easy hack with physical access is pulling the CF card and copying it to get all the passwords from the phone config files.  Since only admins have access to the config of the router via a username and password I'm ok with the SIP passwords remaining visible in the config.  But for now I will just pull them from the phone configs.  Which by the way you can get from the GUI under Voice -> IP Phone Configs -> Pick your phone -> click the wrench at the top right -> Show Password.

                     

                    With physical access it's pretty much game over on most devices.  We haven't played with the 7100 series devices but use HTTPS from a dedicated server for phone configuration to prevent SIP credentials being sniffed over the wire on our hosted PBX deployments.  Does the wrench -> show password command work with "service password-encryption" enabled? 

                     

                    So one more question then.  Is it possible to remove the enable password and just use local user authentication?  When I removed the enable password and logged back in and type "enable" the router tells me "No privileged mode password set" and won't let me in.  Having one common enable password for a team of technicians is not preferable.

                     

                    I don't think it's possible to remove the enable password and still have full access to CLI.  Annoyingly, GUI allows config changes without knowledge of enable password on most AOS devices. This is a big security hole IMHO. 

                     

                    For a team of technicians, consider a RADIUS/TACACS solution globally.  Very scalable and allows easy adds/moves/changes of people.

                      • Re: Password Encryption on system usernames only
                        Employee

                        You are correct that FTP is the transport.  However, phones that are going to be downloading their configuration via FTP would typically be off the local LAN, a dedicated private circuit, or over a VPN.  If they are coming from over the Internet without a VPN, I would recommend the phone(s) be provisioned manually or with a local FTP server for added security.  I agree with jayh that if someone malicious has physical access "it's pretty much game over on most devices".

                         

                        We do not have a way to set multiple enable passwords right now.  You can assign multiple username/password combinations for access to the web interface though.  For jayh's concern, you can use a portal list to restrict what user accounts are allowed to access the web interface. The good news is we will support configuring different privilege levels for the CLI starting with R10.11 on some products, which is due to release soon.  You can subscribe to Software Notifications for the products you are interested in to stay in the loop when it is available. The AOS Feature Matrix - Product Feature Matrix will be updated to reflect which products this feature is supported on.

                         

                        Thanks,

                        Matt

                        1 of 1 people found this helpful
                        • Re: Password Encryption on system usernames only
                          bascheew New Member

                          Yes the wrench-> show password works when encryption is enabled.  That's because it's reading it from the phone config file and not the router's running config.

                           

                          Thanks Matt for the further clarification.  I look forward to when the R10.11 release comes to the 7100.

                    • Re: Password Encryption on system usernames only
                      bascheew New Member

                      I just upgraded to R10.11 and there are now 7 privilege levels that can be applied to a user or to an enable password.  If a user has level 7 permissions they are taken to enable mode without a password.  Thank you!