- Posts: 17
- Thank you received: 0
Configuring OSPF MD5 Authentication - Question
16 years 2 months ago #27838
by Damien610
Configuring OSPF MD5 Authentication - Question was created by Damien610
OK, am slowly setting up OSPF MD5 authentication using the online help command, I choose encryption type 7, after this when I entered my password (baker) I got the OSPF Invalid
encrypted pasword error see below..
Dublin(config-if)#ip ospf message-digest-key 1 ?
md5 Use MD5 algorithm
Dublin(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key)
Dublin(config-if)#ip ospf message-digest-key 1 md5 7 ?
LINE The OSPF password (key)
Dublin(config-if)#ip ospf message-digest-key 1 md5 7 baker
OSPF: Invalid encrypted password: baker
I erased the invalid line using the
Dublin(config-if)#no ip ospf message-digest-key 1 md5 7 baker
Then entered without the Encryption type as below
Dublin(config-if)#ip ospf message-digest-key 1 md5 baker
This worked and after configuring the neighbouring router, MD5 authentication was configured.
My questions are....
What is the purpose of the <0-7> Encryption type :
Why did I get the error :
encrypted pasword error see below..
Dublin(config-if)#ip ospf message-digest-key 1 ?
md5 Use MD5 algorithm
Dublin(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key)
Dublin(config-if)#ip ospf message-digest-key 1 md5 7 ?
LINE The OSPF password (key)
Dublin(config-if)#ip ospf message-digest-key 1 md5 7 baker
OSPF: Invalid encrypted password: baker
I erased the invalid line using the
Dublin(config-if)#no ip ospf message-digest-key 1 md5 7 baker
Then entered without the Encryption type as below
Dublin(config-if)#ip ospf message-digest-key 1 md5 baker
This worked and after configuring the neighbouring router, MD5 authentication was configured.
My questions are....
What is the purpose of the <0-7> Encryption type :
Why did I get the error :
16 years 1 month ago #27849
by SteveP
Replied by SteveP on topic Re: Configuring OSPF MD5 Authentication - Question
Are you using real routers or Packet Tracer? I recall an inconsistency in the commands when I used Packet Tracer for authentication. I assumed that there was a bug in the software but didn't investigate further.
16 years 1 month ago #27851
by novembre
Replied by novembre on topic Re: Configuring OSPF MD5 Authentication - Question
0 tells the router that a plaintext password follow (default)
7 tells the router that a type 7 Cisco password will follow
Thats why you got the error, "OSPF: Invalid encrypted password: baker" Because you entered a plaintext password.
If you setup one neighbour with "ip ospf message-digest-key 1 md5 cisco" and the other with "ip ospf message-digest-key 1 md5 7 110A1016141D" they will form an adjacency because "110A1016141D" is the type 7 password for "cisco"
BTW if you enable password encryption (service password-encryption) then the running config will change itself to the type 7 password and setup as above.. I'm not about the why of this, it will probably be on cisco's command reference guide. Maybe the command was added before password-encryption was standard or maybe its so you don't have to give you password out to everyone working on the network - I dunno, either way type 7 passwords are very easily broken...
7 tells the router that a type 7 Cisco password will follow
Thats why you got the error, "OSPF: Invalid encrypted password: baker" Because you entered a plaintext password.
If you setup one neighbour with "ip ospf message-digest-key 1 md5 cisco" and the other with "ip ospf message-digest-key 1 md5 7 110A1016141D" they will form an adjacency because "110A1016141D" is the type 7 password for "cisco"
BTW if you enable password encryption (service password-encryption) then the running config will change itself to the type 7 password and setup as above.. I'm not about the why of this, it will probably be on cisco's command reference guide. Maybe the command was added before password-encryption was standard or maybe its so you don't have to give you password out to everyone working on the network - I dunno, either way type 7 passwords are very easily broken...
16 years 1 month ago #27854
by SteveP
Replied by SteveP on topic Re: Configuring OSPF MD5 Authentication - Question
Hey novembre, that's a nice answer ... and I'd not even considered that interpretation, having waded through plenty of Cisco material! I don't think it's intuitive. I'll make sure that I play around with this at the next opportunity.
As a side shoot - I realise that "baker" couldn't possibly be anything other than plain text, but what if the password happened to be ABCDEF (OK, not a strong password, but you get the point). It *could* be plain text or it *could* be encrypted. If a netadmin happened to configure two adjacent routers and, mistakenly, configured "0" on one router and "7" on the other (both passwords "ABCDEF"), it could be a very difficult error to pick up. I suspect that clues would be seen in the debug output.
As a side shoot - I realise that "baker" couldn't possibly be anything other than plain text, but what if the password happened to be ABCDEF (OK, not a strong password, but you get the point). It *could* be plain text or it *could* be encrypted. If a netadmin happened to configure two adjacent routers and, mistakenly, configured "0" on one router and "7" on the other (both passwords "ABCDEF"), it could be a very difficult error to pick up. I suspect that clues would be seen in the debug output.
16 years 1 month ago #27855
by Damien610
shouldnt that be
ip ospf message-digest-key 1 md5 0 cisco - which will denote clear text ?
also, how do you know that 110A1016141D is the type 7 password for cisco :
Replied by Damien610 on topic Re: Configuring OSPF MD5 Authentication - Question
If you setup one neighbour with "ip ospf message-digest-key 1 md5 cisco" and the other with "ip ospf message-digest-key 1 md5 7 110A1016141D" they will form an adjacency because "110A1016141D" is the type 7 password for "cisco"
shouldnt that be
ip ospf message-digest-key 1 md5 0 cisco - which will denote clear text ?
also, how do you know that 110A1016141D is the type 7 password for cisco :
16 years 1 month ago #27858
by novembre
Replied by novembre on topic Re: Configuring OSPF MD5 Authentication - Question
Damien610:
either or, 0 is the default - if you type "ip ospf message-digest-key 1 md5 0 cisco" it will look like "ip ospf message-digest-key 1 md5 cisco" in your config. I knew the encrypted version of "cisco" because I configured the password in plaintext and then enabled password-encryption for my router.
SteveP:
yah I dunno, there must be an algorithm to check, they look suspiciously hexadecimal so that could be a start. I only know the difference because I misconfigured OSPF on a Juniper ERX by doing something similar (in a previous lifetime ERX's belonged to a different vendor who borrowed a lot of CLI from Cisco).
Regardless, you'd be mad to configure your router this way, you get the same effect by configuring a sane plaintext password then enabling password-encryption.
either or, 0 is the default - if you type "ip ospf message-digest-key 1 md5 0 cisco" it will look like "ip ospf message-digest-key 1 md5 cisco" in your config. I knew the encrypted version of "cisco" because I configured the password in plaintext and then enabled password-encryption for my router.
SteveP:
yah I dunno, there must be an algorithm to check, they look suspiciously hexadecimal so that could be a start. I only know the difference because I misconfigured OSPF on a Juniper ERX by doing something similar (in a previous lifetime ERX's belonged to a different vendor who borrowed a lot of CLI from Cisco).
Regardless, you'd be mad to configure your router this way, you get the same effect by configuring a sane plaintext password then enabling password-encryption.
Time to create page: 0.149 seconds