Securing CLI
 


Securing the Switch CLI

Console, Telnet, SSH access

Console
(config)# line con 0
(config-line)# password conpasswd
(config-line)# login

Vty
(config)# line vty 0 15
(config-line)# password vtypasswd
(config-line)# login

ssh
(config)# username mario password mak
(config)# username joe password sixpak
(config)# ip domain-name test.com !-- required for rsa key generation
(config)# crypto key generate rsa !-- This will prompt for a modulus: 512, 1024, 2048
(config)# line vty 0 15
(config-line)# login local
(config-line)# transport input ssh telnet

(config)# show crypto key mypubkey rsa

'enable password' and 'enable secret'
(config)# enable password enpasswd !-- This is listed in clear text in the config file
(config)# enable secret ensecret !-- An MD5 hash of the password is listed the config file

  • If the enable secret is set the enable password is not used.

service password-encryption

  • encrypts the passwords so they cannot be read when viewing/printing the config file.

Banners

MOTD Shown before the login prompt. For temporary messages
Login Shown before the login pormpt but after the MOTD. For permanent messages ie.. "Unauthorized Use"
Exec Shown after login. For info that should be hidden from unauthorized users

Command History buffer
show history
history size x !-- At the con or vty line config mode
terminal history size x !-- Sets history size only for the current terminal session

exec-timeout minutes seconds
default is 5 minutes.