|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ABOVE.NET SECURITY TRUTHS?
> As you pointed out to Barry Greene and myself previously, the "aaa > accounting" command as below will log commands typed in at "enable" level. > So, if you are changing the onboard router password, yes, you will see the > new password in your accounting logs, in clear text. > > However, I don't consider it good practice to keep any critical passwords > on a router when an authentication mechanism such as TACACS+ is in place. Unfornately, auth servers fail and you have to keep VTY and fallback passwords locally configured on the router. > Also, if I was modifying the onboard enable secret (last resort password > when TACACS+ or Radius is configured) at any stage, I'd tftp-load the > configuration from a remote server, not ever type it in live. I don't see how this actually changes anything though, aren't tftp'd files authorized (and therefore, logged) in a similar manner? And as wonderful as it sounds, it's not always possible in real networks. However, entering the encrypted *enable* password (w/level) would accommodate this. Though, of course, the BGP TCP MD5 stuff and the VTY passwords (and most other passwords) still don't support the ~non-reversible encryption algorithm. As for this entire thread, it's seems now to be more appropriate for cisco-nsp or the like. -danny |