Configuring OSPF MD5 Authentication - Question

OK, am slowly setting up OSPF MD5 authentication using the online help command, I choose encryption type 7, after this when I entered my password (baker) I got the OSPF Invalid
encrypted pasword error see below..

Dublin(config-if)#ip ospf message-digest-key 1 ?
md5 Use MD5 algorithm

Dublin(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key)

Dublin(config-if)#ip ospf message-digest-key 1 md5 7 ?
LINE The OSPF password (key)

Dublin(config-if)#ip ospf message-digest-key 1 md5 7 baker
OSPF: Invalid encrypted password: baker

I erased the invalid line using the

Dublin(config-if)#no ip ospf message-digest-key 1 md5 7 baker

Then entered without the Encryption type as below

Dublin(config-if)#ip ospf message-digest-key 1 md5 baker

This worked and after configuring the neighbouring router, MD5 authentication was configured.

My questions are....

What is the purpose of the <0-7> Encryption type :

Why did I get the error :

Are you using real routers or Packet Tracer? I recall an inconsistency in the commands when I used Packet Tracer for authentication. I assumed that there was a bug in the software but didn't investigate further.

0 tells the router that a plaintext password follow (default)
7 tells the router that a type 7 Cisco password will follow

Thats why you got the error, "OSPF: Invalid encrypted password: baker" Because you entered a plaintext password.

If you setup one neighbour with "ip ospf message-digest-key 1 md5 cisco" and the other with "ip ospf message-digest-key 1 md5 7 110A1016141D" they will form an adjacency because "110A1016141D" is the type 7 password for "cisco"

BTW if you enable password encryption (service password-encryption) then the running config will change itself to the type 7 password and setup as above.. I'm not about the why of this, it will probably be on cisco's command reference guide. Maybe the command was added before password-encryption was standard or maybe its so you don't have to give you password out to everyone working on the network - I dunno, either way type 7 passwords are very easily broken...

Hey novembre, that's a nice answer ... and I'd not even considered that interpretation, having waded through plenty of Cisco material! I don't think it's intuitive. I'll make sure that I play around with this at the next opportunity.

As a side shoot - I realise that "baker" couldn't possibly be anything other than plain text, but what if the password happened to be ABCDEF (OK, not a strong password, but you get the point). It *could* be plain text or it *could* be encrypted. If a netadmin happened to configure two adjacent routers and, mistakenly, configured "0" on one router and "7" on the other (both passwords "ABCDEF"), it could be a very difficult error to pick up. I suspect that clues would be seen in the debug output.

If you setup one neighbour with "ip ospf message-digest-key 1 md5 cisco" and the other with "ip ospf message-digest-key 1 md5 7 110A1016141D" they will form an adjacency because "110A1016141D" is the type 7 password for "cisco"

shouldnt that be

ip ospf message-digest-key 1 md5 0 cisco - which will denote clear text ?

also, how do you know that 110A1016141D is the type 7 password for cisco :

Damien610:

either or, 0 is the default - if you type "ip ospf message-digest-key 1 md5 0 cisco" it will look like "ip ospf message-digest-key 1 md5 cisco" in your config. I knew the encrypted version of "cisco" because I configured the password in plaintext and then enabled password-encryption for my router.


SteveP:

yah I dunno, there must be an algorithm to check, they look suspiciously hexadecimal so that could be a start. I only know the difference because I misconfigured OSPF on a Juniper ERX by doing something similar (in a previous lifetime ERX's belonged to a different vendor who borrowed a lot of CLI from Cisco).

Regardless, you'd be mad to configure your router this way, you get the same effect by configuring a sane plaintext password then enabling password-encryption.