Security

Hello,

I was just looking for some clarity around storing the manager and operator passwords on an Aruba 2920-48G switch.  

Are passwords encrypted by default?

Is 'plaintext' in the following command merely to indicate that the password is entered as plaintext and encrypted by the switch?

password manager plaintext PASSWORD 

Regards.

Your passwords are not displayed in the running configuration on ProCurve switches, neither as plaintext nor as hash. Not sure where exactly it stores them, but they cannot be seen from the config itself.

Not sure if that was your concern or something else.

Jibran,

Thanks for getting back to me.  That was partly my concern.  I check the running config and couldn't see any reference to the password.  

It would be good to know if it's encrypted, if I need to anything to encrypt it or what Aruba's best practises are.

Regards

In a document called 'Configuration of HP ProCurve Devices in a Campus Environment' i found a line stating:  "In HP devices, a special area that is not readily accessible is used to store passwords. Therefore password settings are not visible in the switch configuration file."

http://services.geant.net/cbp/Knowledge_Base/Campus_Networking/Documents/gn3-na3-t4-cbpd111.pdf

Inside the system, passwords are stored as MD5. Below link can confirm this:

https://community.hpe.com/t5/ProCurve-ProVision-Based/Switch-Local-Password-Store-and-Hash/td-p/5978797

Greetings!

The recently-released 16.03 switch software for the 2920, 2930F, 3810, and 5400R switch series introduces support for storing local credentials as SHA-256 hashes, for improved security over the default SHA-1 format.  This option can be enabled with the following command, executed from the switch configuration context:

password non-plaintext-sha256

There are a few limitations to this feature; I've copied the following from the WC.16.03 Access Security Guide (page 44-45):

• After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
• This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
• Configuring the password in SHA-256 format is not allowed if the password complexity feature is enabled.
• If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not supported results in the deletion of the passwords. HPE recommends that you disable this feature and reconfigure the password before downgrading.
• If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA-1 format.

Thanks for the update.  I'm still running 16.02.

Hi,

Currently I am using Sha 256 non-text password. If I want to switch to Sha-1. What is the process?

Hi! What abour tacacs shared secret?? I'm running 16.05, ran the command you seggested but still can see the TACACS shared secret... Any thoughts?

Thanx!

Don't forget to add the following commands:

include-credentials
encrypt-credentials

Thanks RLitchfield. But I would like to have the exact commands.

I tried executing the below:

no password non-plaintext-sha256

But In running config of the Switch, I still see "password non-plaintext-sha256"

Greetings!

When you ran the 'no password non-plaintext-sha256' command, you should have seen a prompt similar to the following:

switch(config)# no password non-plaintext-sha256 

                              **** CAUTION ****

 This will remove switch passwords, you need to reconfigure switch passwords later.

 Do you want to continue (y/n)?  y

 Do you want to set new switch passwords (y/n)?  n

Did you see that when you ran the command?  If you did, did you choose to continue and/or set new passwords?

If you did not see that prompt, could you let us know what software version you're running?