Wired

last person joined: 17 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Password configured with sha256 option not working

Jump to Best Answer
This thread has been viewed 13 times
  • 1.  Password configured with sha256 option not working

    Posted Feb 20, 2020 03:45 PM

    Hello,

    I try to harden the security of my Aruba 2930F switch by disabling SHA-1 and enabling SHA-256.

    SW01(config)# password non-plaintext-sha256
    SW01(config)# password manager user-name admin sha256 [PASSWORD-STR]

    When I try to logon from the client machine running Linux with OpenSSH legacy SHA-1 deactivated, I get:

    $ ssh admin@10.10.10.10
    Unable to negotiate with 10.0.16.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

    I did follow the ArubaOS Hardening Guide here but I may had missed something.



  • 2.  RE: Password configured with sha256 option not working
    Best Answer

    Posted Feb 21, 2020 07:25 AM

    Hi valentin,

     

    the first command is for store password on the switch..

     

    the hardening guide is for Aruba OS Mobility Controller

     

    I not sure it is is possible to change the cipher for SSH on ArubaOS switch...



  • 3.  RE: Password configured with sha256 option not working

    Posted Sep 19, 2020 04:09 PM

    HW HPE 2530-48 ver YB.16.10.0010

     

    ArubaOS-Switch Hardening Guide for 16.06.pdf p19 shown I can create a user with sha256
    switch(config)# password manager user-name localadmin sha256 95d30169a59c418b52013315fc81bc99fdf0a7b03a116f346ab628496f349ed5

    but I can't find sha256, only sha1 in my switch

    # password manager user-name admin
    aging-period Configures the password aging time for a user.
    clear-history-record Clears the history of the password for a user.
    min-pwd-length Configures the minimum password length for a user.
    plaintext Enter a plaintext password.
    sha1 Enter a SHA-1 password hash.

    How to enable user sha256
    It is easy to decrypt sha1

    tq



  • 4.  RE: Password configured with sha256 option not working

    Posted Sep 19, 2020 07:11 PM

    Hi! have you tried to first enable password storage as encrypted using SHA-256 through the command password non-plaintext-sha256 ? Me too haven't found the sha256 option.



  • 5.  RE: Password configured with sha256 option not working

    Posted Sep 19, 2020 09:17 PM

    There is no "password non-plaintext-sha256" command

    HP-2530-24(config)# password non-plaintext-sha256
    Invalid input: non-plaintext-sha256



  • 6.  RE: Password configured with sha256 option not working

    Posted Apr 05, 2021 10:33 AM
    You need to be running a KB edition of ArubaOS to have the 'password non-plaintext-sha256' command available.  Run 'show version' to see which edition and version of the OS you are running.

    If you're running a KB edition, remove the SHA1 users, add 'password non-plaintext-sha256' to your config, then add the sha256 users & hashes.

    ------------------------------
    Shawn Southern
    ------------------------------



  • 7.  RE: Password configured with sha256 option not working

    Posted Apr 05, 2021 10:32 AM
    In order to enable SHA256 hashes for passwords, you have to be running a KB version of the OS, in order to use 'password non-plaintext-sha256'.  I'm running KB.16.09.0015 to test this on an out-of-the-box switch.

    If you're running a KB switch software version, you can have this in your config:
    password operator user-name "operatoruser" sha256 "sha256 hash here"
    password manager user-name "manageruser" sha256 "sha256 hash here"
    password non-plaintext-sha256

    ------------------------------
    Shawn Southern
    ------------------------------