IBM 12.1(22)EA6 Protecting Enable and Enable Secret Passwords with Encryption

5-4

Cisco Systems IntelligentGigabit Ethernet Switch Modules for the IBMBladeCenter, Software Configuration Guide

24R9746

Chapter5 Configuring Switch-Based Authentication

Protecting Access to Privileged EXEC Commands

Protecting Enable and Enable Secret Passwords with Encryption

To provide an additional layer of security, particularly for passwords that cross the network or that are

stored on a TFTP server, you can use either the enable password or enable secret global configuration

commands. Both commands accomplish the same thing; that is, you can establish an encrypted password

that users must enter to access privileged EXEC mode (the default) or any privilege level you spec ify.

We recommend that you use the enable secret command because it uses an improved encryption

algorithm.

If you configure the enable secret command, it takes precedence over the enable password command;

the two commands cannot be in effect simultaneously.

Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable

secret passwords:

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 enable password [level level] {password |

encryption-type encrypted-password}

enable secret [level level] {password |

encryption-type encrypted-password}

Define a new password or change an existing password for

access to privileged EXEC mode.

Define a secret password, which is saved using a

nonreversible encryption method.

•(Optional) For level, the range is from 0 to 15. Level 1 is

normal user EXEC mode privileges. The default level is

15 (privileged EXEC mode privileges).

•For password, specify a string from 1 to 25

alphanumeric characters. The string cannot start with a

number, is case sensitive, and allows spaces but ignores

leading spaces. By default, no password is defined.

•(Optional) For encryption-type, only type 5, a Cisco

proprietary encryption algorithm, is available. If you

specify an encryption type, you must provide an

encrypted password—an encrypted password you copy

from another Cisco Systems Intelligent Gigabit Ethernet

Switch Module configuration.

Note If you specify an encryption type and then enter a

clear text password, you can not re-enter privileged

EXEC mode. You cannot recover a lost encrypted

password by any method.

Step3 service password-encryption (Optional) Encrypt the password when the password is

defined or when the configuration is written.

Encryption prevents the password from being readable in the

configuration file.

Step4 end Return to privileged EXEC mode.

Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.