Securing CLI
Â
Securing the Switch CLI
Console, Telnet, SSH access
Console
(config)# line con 0
(config-line)# password conpasswd
(config-line)# login
Vty
(config)# line vty 0 15
(config-line)# password vtypasswd
(config-line)# login
ssh
(config)# username mario password mak
(config)# username joe password sixpak
(config)# ip domain-name test.com !-- required for rsa key generation
(config)# crypto key generate rsa !-- This will prompt for a modulus: 512, 1024, 2048
(config)# line vty 0 15
(config-line)# login local
(config-line)# transport input ssh telnet
(config)# show crypto key mypubkey rsa
'enable password' and 'enable secret'
(config)# enable password enpasswd !-- This is listed in clear text in the config file
(config)# enable secret ensecret !-- An MD5 hash of the password is listed the config file
- If the enable secret is set the enable password is not used.
service password-encryption
- encrypts the passwords so they cannot be read when viewing/printing the config file.
Banners
| MOTD | Shown before the login prompt. For temporary messages |
| Login | Shown before the login pormpt but after the MOTD. For permanent messages ie.. "Unauthorized Use" |
| Exec | Shown after login. For info that should be hidden from unauthorized users |
Command History buffer
show history
history size x !-- At the con or vty line config mode
terminal history size x !-- Sets history size only for the current terminal session
exec-timeout minutes seconds
default is 5 minutes.