Guys,
I think we're on the right track now. Of course, you don't have to
lower the priv level of the command to 1, instead put it at, say, 14. Then
make sure those users you want to have this access are given a privilege
level of 14. This can be done either locally or at the TACACS+ server.
Locally, assign a user as:
username johnchambers password ciscoceo privilege 14
Set the "show running-config" command to be at level 14 like this:
privilege exec level 14 show running-config
privilege exec level 1 show
(I think the second one is necessary, because if you don't use it,
then you get as an "added bonus" the line "privilege exec level 14 show",
which disables all show commands from any priv level under 14. - Please
correct me if I'm wrong)
Does anyone know how to get these commands out of your config without
reloading? Prepending a "no" just reverts the command back to default, but
it still displays in the config.
Look in your documentation as to how to do this on your TACACS+ server
Also, as a bit of a side note, if you give a user level 15 access,
when they log in, they immediately get an enable prompt.
Matthew Sypherd
[EMAIL PROTECTED]
CCNP+Security CCDP CCSE MCSE CCIE-R/S-Written (June 15-16 RTP)
"Kevin Wigle" <[EMAIL PROTECTED]>@groupstudy.com
01/28/2001 03:42 PM
Please respond to "Kevin Wigle" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
To: "Tony van Ree" <[EMAIL PROTECTED]>, "Gareth Hinton"
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
cc:
Subject: Re: SH RUN reveals encrypted password
Then stand corrected...... you must be in the privileged mode to execute
"show run".
CR357136-C>sh run
^
% Invalid input detected at '^' marker. (the caret should be under the r)
To get to the privileged mode you must invoke the "enable password" (unless
you're using autocommand or tacacs+ that does something automatically for
you)
Also I guess you could lower the sh run command from priv 15 to priv 1 but
I
don't think you'd want to do that.................
Kevin Wigle
----- Original Message -----
From: "Tony van Ree" <[EMAIL PROTECTED]>
To: "Gareth Hinton" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, 28 January, 2001 16:11
Subject: Re: SH RUN reveals encrypted password
> Hi,
>
> Correct me if I'm wrong but don't you need the enable password to perform
a "show run". If you do then why decrypt it.
>
> router#service password encryption
>
> encrypts it to a level 7.
>
> Teunis,
> Hobart, Tasmania
> Australia
>
> On Sunday, January 28, 2001 at 09:37:36 AM, Gareth Hinton wrote:
>
> > Has anybody actually managed to decrypt an enable password yet?
> >
> > I know the level 7 passwords are easily decrypted, but I've not seen
the
> > level 5 passwords decrypted yet.
> >
> > I realise, that depending on your organisation, you can never play too
safe.
> > I should think if anyone has cracked it, someone in this group will
know
> > about it - Anybody? Is it possible to crack it?
> >
> > Gareth
> >
> > ""Hans Stout"" <[EMAIL PROTECTED]> wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello colleagues,
> > >
> > > do you know if there is a way to make the line 'enable secret 5
> > > $1$vwIl$YEZxTVGPapUUVCD.c54Ya' invisible when doing a 'sh run' in
user
> > mode
> > > ? The problem is that I want to allow RO access and also allow to
execute
> > > the 'sh run' command, but that with a password decryptor, one could
eaily
> > > decrypt the enable password.
> > > Thanks for your help in advance.
> > >
> > > Regards,
> > >
> > > Hans
> > >
_________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com.
> > >
> > > _________________________________
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
>
>
> --
> www.tasmail.com
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
