Cisco Tips

MD5 Hashes

If you have service password-encryption set in a Cisco config, the Cisco device will convert clear-text passwords that you give it (for "enable secret" lines, "username ..." lines, and so forth) to MD5 hashes in the saved config, so that the clear-text passwords aren't visible.

If you'd rather generate the MD5 hashes yourself, so that you never write a clear-text password into a config file that you're creating or editing, it turns out that you can use the openssl command (which is available for most UNIX, Linux, and Mac systems) to do so.

Any place in a Cisco config that you see a string like "5 $1$....", that's an MD5 hash; the "5" tells the Cisco that it's an MD5 hash, and all MD5 hashes, by convention, start with "$1$" (see http://en.wikipedia.org/wiki/Crypt%5F%28Unix%29#MD5-based%5Fscheme for a discussion of MD5 password hashes).

You can use the openssl tool on UNIX/Linux/Mac systems to create Cisco-compatible MD5 hashes directly, to avoid putting clear-text passwords in generated configs.

The basic command is

openssl passwd -1 -salt salt password

For Cisco use, salt needs to be a randomly-generated 4-letter string. Without the -salt salt argument, openssl will generate an 8-letter salt, which appears to be incompatible with Cisco.

You can also use openssl to generate an appropriate salt, like so:

openssl passwd -salt `openssl rand -base64 3` -1 password

The openssl rand -base64 3 command generates 3 random bytes and then encodes them in base64 format, which gives you 4 printable characters (exactly what you need for a Cisco-compatible salt).

(This tip grew out of a thread on Serverfault.com)