|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-Id: <200005010837.CAA02950@tcb.net> To: Philip Smith <pfs@cisco.com> Cc: nanog@merit.edu From: Danny McPherson <danny@tcb.net> Reply-To: danny@tcb.net Date: Mon, 01 May 2000 02:37:14 -0600 Errors-To: owner-nanog-outgoing@merit.edu > As you pointed out to Barry Greene and myself previously, the "aaa > accounting" command as below will log commands typed in at "enable" level. > So, if you are changing the onboard router password, yes, you will see the > new password in your accounting logs, in clear text. > > However, I don't consider it good practice to keep any critical passwords > on a router when an authentication mechanism such as TACACS+ is in place. Unfornately, auth servers fail and you have to keep VTY and fallback passwords locally configured on the router. > Also, if I was modifying the onboard enable secret (last resort password > when TACACS+ or Radius is configured) at any stage, I'd tftp-load the > configuration from a remote server, not ever type it in live. I don't see how this actually changes anything though, aren't tftp'd files authorized (and therefore, logged) in a similar manner? And as wonderful as it sounds, it's not always possible in real networks. However, entering the encrypted *enable* password (w/level) would accommodate this. Though, of course, the BGP TCP MD5 stuff and the VTY passwords (and most other passwords) still don't support the ~non-reversible encryption algorithm. As for this entire thread, it's seems now to be more appropriate for cisco-nsp or the like. -danny
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |