Re: OSPF Authentication

From: Jay Hennigan (jay@west.net)
Date: Wed Dec 03 2003 - 06:30:09 GMT-3

• Next message: Oliver Ziltener: "slight offtopic: Cat4000: Interface Symbol-Err?"
• Previous message: Weidong Xiao: "RE: Point-to-Multipoint non-broadcast command"
• Maybe in reply to: Ashok Verma \(ashoverm\): "OSPF Authentication"
• Next in thread: Scott Morris: "RE: OSPF Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, 3 Dec 2003, Ashok Verma (ashoverm) wrote:

> I have a question about the OSPF authentication, When we configure
> simple clear text authentication by using the " ip ospf
> authetication-key <encription type 0-7> <key>.
>
> Which Encrytion type should be used.Sometime this gives problem in
> authentication of the the hello between neighbours.

This is similar to the "encryption" of other passwords within the
"show running" context.

If you, for example, enter the command:

  ip ospf authentication-key foobar

and also enter the global command:

  service password-encryption

When viewing the configuration you'll see something along the lines of:

  ip ospf authentication-key 7 032C524B1207245E4B48

The "7" above denotes encryption type 7, the weak XOR algorithm to
prevent shoulder-surfing. It is well documented and easily reversed.
See among many others:

http://exampointers.com/security/passwd.htm
http://www.kazmier.com/computer/cisco-apps.html
http://www.alcrypto.co.uk/cisco/mudge.txt

(The string above can be decoded with the tools above, it isn't "foobar")

See also:

http://www.cisco.com/warp/public/701/64.html

If you have a working network where you don't know the actual key and
you don't have access to the secret decoder rings mentioned above, you
can copy the entire line including the "7" from one router to another
and it will work. (The same trick works for enable secrets with the "5"
encryption, but these aren't trivially reversed like type 7 passwords.)

If you use the "7", the string following must be encrypted with the Cisco
algorithm. Don't use 7 followed by a clear-text password. This will
break.

You can also do:

  ip ospf authentication-key 0 foobar

Where the "0" denotes a clear-text password. This is the same thing as

  ip ospf authentication-key foobar

A "5" denotes an MD5 hash TTBOMK only usable for enable secret.

Hint: Don't use "0" "5" or"7" as the first character of passwords on
Cisco devices, you may run into strange results with some IOS versions.
Especially don't use any single digit followed by a space at the beginning
of a password.

-- 
Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net
WestNet:  Connecting you to the planet.  805 884-6323      WB6RDV
NetLojix Communications, Inc.  -  http://www.netlojix.com/

• Next message: Oliver Ziltener: "slight offtopic: Cat4000: Interface Symbol-Err?"
• Previous message: Weidong Xiao: "RE: Point-to-Multipoint non-broadcast command"
• Maybe in reply to: Ashok Verma \(ashoverm\): "OSPF Authentication"
• Next in thread: Scott Morris: "RE: OSPF Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:35 GMT-3