Password storage in SHA-256 format

NOTE:

The non-plaintext-sha256 form of the password command is available only on switches running KB software.

On switches, passwords can be configured either in plaintext or SHA-1 format. You can now configure the passwords in SHA-256 format also.

Syntax

switch (config)# [no] password non-plaintext-sha256

Description

The password is configured in SHA-256 format.

Limitations

  • After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
  • This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
  • Configuring the password in SHA-256 format is not allowed if the password complexity feature is enabled.
  • If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not supported results in the deletion of the passwords. It is recommended that you disable this feature and reconfigure the password before downgrading.

  • If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA-1 format.

The following three tables show the output from the show running-config command for each password storage format.

Passwords configured using the plaintext option

include credentials enabled

encrypt-credentials enabled

non-plaintext-sha256 enabled

show running-config output (manager/operator/local-user)

No

No

No

password manager

password operator

aaa authentication local-user <username> group <groupname>

No

No

Yes

Manager and operator credentials are not displayed.

aaa authentication local-user <username> group <groupname>

No

Yes

No

password manager

password operator

aaa authentication local-user <username> group <groupname>

No

Yes

Yes

Manager and operator credentials are not displayed.

aaa authentication local-user <username> group <groupname>

Yes

No

No

password manager user-name <username> <SHA-1 password>

password manager user-name <username> <SHA-1 password>

aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password>

Yes

No

Yes

password manager user-name <username>sha256 <SHA-256 password>

password manager user-name <username>sha256 <SHA-256 password>

aaa authentication local-user <username> group <groupname> password <SHA-256 password>

Yes

Yes

No

encrypted-password manager user-name <username> <encrypted SHA-1 password>

encrypted-password manager user-name <username> <encrypted SHA-1 password>

aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password>

Yes

Yes

Yes

encrypted-password manager user-name <username> <encrypted SHA-256 password>

encrypted-password manager user-name <username> <encrypted SHA-256 password>

aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password>

Passwords configured using the sha1 option

include credentials enabled

encrypt-credentials enabled

non-plaintext-sha256 enabled

show running-config output (manager/operator/local-user)

Yes

No

No

password manager user-name <username> sha-1 <SHA-1 password>

password operator user-name <username> sha-1 <SHA-1 password>

aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password>

Yes

No

Yes

Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled.

Yes

Yes

No

encrypted-password manager user-name <username> <encrypted SHA-1 password>

encrypted-password manager user-name <username> <encrypted SHA-1 password>

aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password>

Yes

Yes

Yes

Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled.

Passwords configured using the sha256 option

include credentials enabled

encrypt-credentials enabled

non-plaintext-sha256 enabled

show running-config output (manager/operator/local-user)

Yes

No

No

Manager and operator credentials are not displayed because SHA-1 passwords are not available.

aaa authentication local-user <username> group <groupname>

Yes

No

Yes

password manager user-name <username> sha256 <SHA-256 password>

password manager user-name <username> sha256 <SHA-256 password>

aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password>

Yes

Yes

No

Manager and operator credentials are not displayed because SHA-1 passwords are not available.

aaa authentication local-user <username> group <groupname>

Yes

Yes

Yes

encrypted-password manager user-name <username> <encrypted SHA-256 password>

encrypted-password manager user-name <username> <encrypted SHA-256 password>

aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password>