Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1581
Views
7
Helpful
8
Replies

SSH & tacacs-server key in cleartext

neo_christina
Level 1
Level 1

‎02-25-2007 07:46 PM - edited ‎03-05-2019 02:34 PM

Hi,

Appreciate some advise on the following:

I have the following devices which require to be configured with ssh and tacacs-server key with encrypted text. I don't think the existing IOS supports the request. Please help to advise if the only way to fulfil the above is only to upgrade the IOS(If yes, which IOS?) or is there any commands which can do that.

No SSH

======

1) WS-C6509, Version 12.2(18)SXD6

2) WS-C4507R, Version 12.2(25)EWA1

3) WS-C3550-48-SMI, Version 12.1(9)EA1c

4) Cisco 2621, Version 12.2(7c)

5) WS-C3560-24PS, Version 12.2(25)SEB4

No SSH & Tacacs-server key in cleartext

=======================================

1) WS-C2924C-XL - Version 12.0(5)WC16

2) WS-C2924-XL - Version 12.0(5)XU

Thanks

Labels:
0 Helpful
8 Replies 8

royalblues
Level 10
Level 10

‎02-25-2007 08:51 PM

In some routers/switches even with the service password-encryption commands the Tacacs & SSH keys are not shown encrypted.

The new IOS versions do show them in an encrypted format and hence i think that you need to upgrade your IOS.

HTH, rate if it does

Narayan

hoogen_82
Level 4
Level 4

‎02-26-2007 01:09 AM

Do post the full image name. Or post the show versions from these switches/routers. This is just to see if you need an upgradation to run ssh.

Cheers

Hoogen

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to hoogen_82

‎02-26-2007 06:36 AM

Christina

For the devices that you indicate do not have SSH it is more likely an issue of different feature set than it is an issue of different version. For SSH you need a feature set that supports encryption and some feature sets do support it and some do not.

For devices that you indicate do not encrypt the TACACS server key, first be sure that you have configured service password-encryption. If the key is still clear text then you need a more recent version of code. In earlier versions of code the service password-encryption encrypted only the line passwords and things like that but not the TACACS server key. In more recent versions of code it encrypts more things including the TACACS server key.

HTH

Rick

HTH

Rick

neo_christina
Level 1
Level 1
In response to hoogen_82

‎02-27-2007 07:27 AM

Hi Hoogen,

wonder what is the IOS version to upgrade and whether is it free?

No SSH

======

1) WS-C6509, Version 12.2(18)SXD6 - c6k222-jsv-mz.122-18.SXD6.bin

2) WS-C4507R, Version 12.2(25)EWA1 - cat4000-i9s-mz.122-25.EWA1.bin

3) WS-C3550-48-SMI, Version 12.1(9)EA1c - c3550-i9q3l2-mz.121-9.EA1c.bin

4) Cisco 2621, Version 12.2(7c) - c2600-js-mz.122-7c.bin

5) WS-C3560-24PS, Version 12.2(25)SEB4 - c3560-ipbase-mz.122-25.SEB4.bin

No SSH & Tacacs-server key in cleartext

=======================================

1) WS-C2924C-XL - Version 12.0(5)WC16 - c2900xl-c3h2s-mz.120-5.WC16.bin

2) WS-C2924-XL - Version 12.0(5)XU - c2900XL-c3h2s-mz-120.5-XU.bin

Thanks.

0 Helpful

neo_christina
Level 1
Level 1
In response to hoogen_82

‎02-27-2007 07:28 AM

Hi Hoogen,

wonder what is the IOS version to upgrade and whether is it free?

No SSH

======

1) WS-C6509, Version 12.2(18)SXD6 - c6k222-jsv-mz.122-18.SXD6.bin

2) WS-C4507R, Version 12.2(25)EWA1 - cat4000-i9s-mz.122-25.EWA1.bin

3) WS-C3550-48-SMI, Version 12.1(9)EA1c - c3550-i9q3l2-mz.121-9.EA1c.bin

4) Cisco 2621, Version 12.2(7c) - c2600-js-mz.122-7c.bin

5) WS-C3560-24PS, Version 12.2(25)SEB4 - c3560-ipbase-mz.122-25.SEB4.bin

No SSH & Tacacs-server key in cleartext

=======================================

1) WS-C2924C-XL - Version 12.0(5)WC16 - c2900xl-c3h2s-mz.120-5.WC16.bin

2) WS-C2924-XL - Version 12.0(5)XU - c2900XL-c3h2s-mz-120.5-XU.bin

Thanks.

0 Helpful

royalblues
Level 10
Level 10
In response to neo_christina

‎02-27-2007 07:42 AM

Friend,

You need a cryptographic image to run SSH.

If you have a valid cisco contract, then you can download the same from the cisco website

Narayan

0 Helpful

hoogen_82
Level 4
Level 4
In response to neo_christina

‎02-27-2007 07:44 AM

I would require the show version and show module for these switches so that i can exactly guide you. Only thing you need is a CCO login to download these k9 images. I checked today with my sales people and they told me this upgrade doesn't get charged.

Cheers

Hoogen

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to neo_christina

‎02-27-2007 07:45 AM

Christina

If it is a version upgrade to get the encrypted TACACS server key and if you have service contracts on the equipment then I believe the upgrade is free. I found a nice article in TAC case collection which describes for Catalyst the versions of IOS where it is fixed:

http://www.ciscotaccc.com/kaidara-advisor/lanswitching/showcase?case=K38156732

This link requires CCO login. For those who may not have the proper login, here are the versions:

12.3(1.5), 12.3(1.5)T, 12.2(17.4), 12.2(17.4)S, 12.3(2.3)B, 12.3(7)XI, 12.0(31.1)S, 12.1(22)EA07

For solving the SSH issue, if it is a change in feature set, then I believe that there may be a charge for changing feature set.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card