SSH & tacacs-server key in cleartext

Unanswered Question
Feb 25th, 2007

Hi,

Appreciate some advise on the following:

I have the following devices which require to be configured with ssh and tacacs-server key with encrypted text. I don't think the existing IOS supports the request. Please help to advise if the only way to fulfil the above is only to upgrade the IOS(If yes, which IOS?) or is there any commands which can do that.

No SSH

======

1) WS-C6509, Version 12.2(18)SXD6

2) WS-C4507R, Version 12.2(25)EWA1

3) WS-C3550-48-SMI, Version 12.1(9)EA1c

4) Cisco 2621, Version 12.2(7c)

5) WS-C3560-24PS, Version 12.2(25)SEB4

No SSH & Tacacs-server key in cleartext

=======================================

1) WS-C2924C-XL - Version 12.0(5)WC16

2) WS-C2924-XL - Version 12.0(5)XU

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
royalblues Sun, 02/25/2007 - 20:51

In some routers/switches even with the service password-encryption commands the Tacacs & SSH keys are not shown encrypted.

The new IOS versions do show them in an encrypted format and hence i think that you need to upgrade your IOS.

HTH, rate if it does

Narayan

hoogen_82 Mon, 02/26/2007 - 01:09

Do post the full image name. Or post the show versions from these switches/routers. This is just to see if you need an upgradation to run ssh.

Cheers

Hoogen

Richard Burts Mon, 02/26/2007 - 06:36

Christina

For the devices that you indicate do not have SSH it is more likely an issue of different feature set than it is an issue of different version. For SSH you need a feature set that supports encryption and some feature sets do support it and some do not.

For devices that you indicate do not encrypt the TACACS server key, first be sure that you have configured service password-encryption. If the key is still clear text then you need a more recent version of code. In earlier versions of code the service password-encryption encrypted only the line passwords and things like that but not the TACACS server key. In more recent versions of code it encrypts more things including the TACACS server key.

HTH

Rick

neo_christina Tue, 02/27/2007 - 07:27

Hi Hoogen,

wonder what is the IOS version to upgrade and whether is it free?

No SSH

======

1) WS-C6509, Version 12.2(18)SXD6 - c6k222-jsv-mz.122-18.SXD6.bin

2) WS-C4507R, Version 12.2(25)EWA1 - cat4000-i9s-mz.122-25.EWA1.bin

3) WS-C3550-48-SMI, Version 12.1(9)EA1c - c3550-i9q3l2-mz.121-9.EA1c.bin

4) Cisco 2621, Version 12.2(7c) - c2600-js-mz.122-7c.bin

5) WS-C3560-24PS, Version 12.2(25)SEB4 - c3560-ipbase-mz.122-25.SEB4.bin

No SSH & Tacacs-server key in cleartext

=======================================

1) WS-C2924C-XL - Version 12.0(5)WC16 - c2900xl-c3h2s-mz.120-5.WC16.bin

2) WS-C2924-XL - Version 12.0(5)XU - c2900XL-c3h2s-mz-120.5-XU.bin

Thanks.

neo_christina Tue, 02/27/2007 - 07:28

Hi Hoogen,

wonder what is the IOS version to upgrade and whether is it free?

No SSH

======

1) WS-C6509, Version 12.2(18)SXD6 - c6k222-jsv-mz.122-18.SXD6.bin

2) WS-C4507R, Version 12.2(25)EWA1 - cat4000-i9s-mz.122-25.EWA1.bin

3) WS-C3550-48-SMI, Version 12.1(9)EA1c - c3550-i9q3l2-mz.121-9.EA1c.bin

4) Cisco 2621, Version 12.2(7c) - c2600-js-mz.122-7c.bin

5) WS-C3560-24PS, Version 12.2(25)SEB4 - c3560-ipbase-mz.122-25.SEB4.bin

No SSH & Tacacs-server key in cleartext

=======================================

1) WS-C2924C-XL - Version 12.0(5)WC16 - c2900xl-c3h2s-mz.120-5.WC16.bin

2) WS-C2924-XL - Version 12.0(5)XU - c2900XL-c3h2s-mz-120.5-XU.bin

Thanks.

royalblues Tue, 02/27/2007 - 07:42

Friend,

You need a cryptographic image to run SSH.

If you have a valid cisco contract, then you can download the same from the cisco website

Narayan

hoogen_82 Tue, 02/27/2007 - 07:44

I would require the show version and show module for these switches so that i can exactly guide you. Only thing you need is a CCO login to download these k9 images. I checked today with my sales people and they told me this upgrade doesn't get charged.

Cheers

Hoogen

Richard Burts Tue, 02/27/2007 - 07:45

Christina

If it is a version upgrade to get the encrypted TACACS server key and if you have service contracts on the equipment then I believe the upgrade is free. I found a nice article in TAC case collection which describes for Catalyst the versions of IOS where it is fixed:

http://www.ciscotaccc.com/kaidara-advisor/lanswitching/showcase?case=K38156732

This link requires CCO login. For those who may not have the proper login, here are the versions:

12.3(1.5), 12.3(1.5)T, 12.2(17.4), 12.2(17.4)S, 12.3(2.3)B, 12.3(7)XI, 12.0(31.1)S, 12.1(22)EA07

For solving the SSH issue, if it is a change in feature set, then I believe that there may be a charge for changing feature set.

HTH

Rick

Actions

This Discussion