As you pointed out to Barry Greene and myself previously, the "aaa accounting" command as below will log commands typed in at "enable" level. So, if you are changing the onboard router password, yes, you will see the new password in your accounting logs, in clear text.
However, I don't consider it good practice to keep any critical passwords on a router when an authentication mechanism such as TACACS+ is in place.
Unfornately, auth servers fail and you have to keep VTY and fallback passwords locally configured on the router.
Also, if I was modifying the onboard enable secret (last resort password when TACACS+ or Radius is configured) at any stage, I'd tftp-load the configuration from a remote server, not ever type it in live.
I don't see how this actually changes anything though, aren't tftp'd files authorized (and therefore, logged) in a similar manner? And as wonderful as it sounds, it's not always possible in real networks. However, entering the encrypted *enable* password (w/level) would accommodate this. Though, of course, the BGP TCP MD5 stuff and the VTY passwords (and most other passwords) still don't support the ~non-reversible encryption algorithm. As for this entire thread, it's seems now to be more appropriate for cisco-nsp or the like. -danny
participants (1)
-
Danny McPherson