cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Password Encryption on system usernames only

Jump to solution

I noticed that the passwords for the admins was not encrypted by default on a 7100 so I ran "service password-encryption" and this encrypted them just fine.  However this also encrypted all of the SIP user passwords as well, and in the GUI the SIP user password field is masked out.  Is there a way to only encrypt the admin user passwords and not the SIP user passwords?  If not I'd request a feature to allow password encryption to be granular per user.  I don't want to document each random 16 character password outside of taking a copy of the config!

-Thank you!

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Password Encryption on system usernames only

Jump to solution

These passwords are encrypted for added security.  As mentioned you can reset the SIP Auth Password if needed.  To do this, navigate to Voice > User Accounts > select the desired extension and click Edit > then on the General tab click the Generate random password button.  When you do this you will be able to see the new password in case you need to document it, but it will be hidden from this screen after you apply it.  After clicking Apply at the bottom,  you will need to reboot the associated phone.

SIP_password.jpg

If you still want to create a Feature Request, you can in the area.

Thanks,

Matt

View solution in original post

0 Kudos
7 Replies
jayh
Honored Contributor
Honored Contributor

Re: Password Encryption on system usernames only

Jump to solution

Why do you want them visible in plain text?  Compromised SIP user credentials can generate some rather large phone bills in a short period of time.  If the phones pull their configs from the 7100 then you should never need to see them.  For softphones, etc. enter them and record.  If lost then just re-enter a new one.

Anonymous
Not applicable

Re: Password Encryption on system usernames only

Jump to solution

These passwords are encrypted for added security.  As mentioned you can reset the SIP Auth Password if needed.  To do this, navigate to Voice > User Accounts > select the desired extension and click Edit > then on the General tab click the Generate random password button.  When you do this you will be able to see the new password in case you need to document it, but it will be hidden from this screen after you apply it.  After clicking Apply at the bottom,  you will need to reboot the associated phone.

SIP_password.jpg

If you still want to create a Feature Request, you can in the area.

Thanks,

Matt

0 Kudos
Anonymous
Not applicable

Re: Password Encryption on system usernames only

Jump to solution

Well since we're talking about security -- the SIP passwords are stored in the "ext-macAddressHere.cfg" file and they are plain text there.  When the phone picks up it's config from the 7100 am I not correct that it's using FTP for the transport?  (That's what the logs show anyway.)  So someone with a hub (or port mirror) along with a packet sniffer could see those files as they cross the wire.  I would argue that's an easier hack than getting your hands on the running config!  Another easy hack with physical access is pulling the CF card and copying it to get all the passwords from the phone config files.  Since only admins have access to the config of the router via a username and password I'm ok with the SIP passwords remaining visible in the config.  But for now I will just pull them from the phone configs.  Which by the way you can get from the GUI under Voice -> IP Phone Configs -> Pick your phone -> click the wrench at the top right -> Show Password.

Capture.PNG

So one more question then.  Is it possible to remove the enable password and just use local user authentication?  When I removed the enable password and logged back in and type "enable" the router tells me "No privileged mode password set" and won't let me in.  Having one common enable password for a team of technicians is not preferable.


Thanks guys!

jayh
Honored Contributor
Honored Contributor

Re: Password Encryption on system usernames only

Jump to solution

bascheew wrote:



Well since we're talking about security -- the SIP passwords are stored in the "ext-macAddressHere.cfg" file and they are plain text there.  When the phone picks up it's config from the 7100 am I not correct that it's using FTP for the transport?  (That's what the logs show anyway.)  So someone with a hub (or port mirror) along with a packet sniffer could see those files as they cross the wire.  I would argue that's an easier hack than getting your hands on the running config!  Another easy hack with physical access is pulling the CF card and copying it to get all the passwords from the phone config files.  Since only admins have access to the config of the router via a username and password I'm ok with the SIP passwords remaining visible in the config.  But for now I will just pull them from the phone configs.  Which by the way you can get from the GUI under Voice -> IP Phone Configs -> Pick your phone -> click the wrench at the top right -> Show Password.


With physical access it's pretty much game over on most devices.  We haven't played with the 7100 series devices but use HTTPS from a dedicated server for phone configuration to prevent SIP credentials being sniffed over the wire on our hosted PBX deployments.  Does the wrench -> show password command work with "service password-encryption" enabled? 


So one more question then.  Is it possible to remove the enable password and just use local user authentication?  When I removed the enable password and logged back in and type "enable" the router tells me "No privileged mode password set" and won't let me in.  Having one common enable password for a team of technicians is not preferable.


I don't think it's possible to remove the enable password and still have full access to CLI.  Annoyingly, GUI allows config changes without knowledge of enable password on most AOS devices. This is a big security hole IMHO. 

For a team of technicians, consider a RADIUS/TACACS solution globally.  Very scalable and allows easy adds/moves/changes of people.

Anonymous
Not applicable

Re: Password Encryption on system usernames only

Jump to solution

You are correct that FTP is the transport.  However, phones that are going to be downloading their configuration via FTP would typically be off the local LAN, a dedicated private circuit, or over a VPN.  If they are coming from over the Internet without a VPN, I would recommend the phone(s) be provisioned manually or with a local FTP server for added security.  I agree with that if someone malicious has physical access "it's pretty much game over on most devices".

We do not have a way to set multiple enable passwords right now.  You can assign multiple username/password combinations for access to the web interface though.  For 's concern, you can use a portal list to restrict what user accounts are allowed to access the web interface. The good news is we will support configuring different privilege levels for the CLI starting with R10.11 on some products, which is due to release soon.  You can subscribe to for the products you are interested in to stay in the loop when it is available. The AOS Feature Matrix - Product Feature Matrix will be updated to reflect which products this feature is supported on.

Thanks,

Matt

Anonymous
Not applicable

Re: Password Encryption on system usernames only

Jump to solution

Yes the wrench-> show password works when encryption is enabled.  That's because it's reading it from the phone config file and not the router's running config.

Thanks Matt for the further clarification.  I look forward to when the R10.11 release comes to the 7100.

Anonymous
Not applicable

Re: Password Encryption on system usernames only

Jump to solution

I just upgraded to R10.11 and there are now 7 privilege levels that can be applied to a user or to an enable password.  If a user has level 7 permissions they are taken to enable mode without a password.  Thank you!