Password storage in SHA-256 format
The non-plaintext-sha256 form of the password command is available only on switches running KB software.
On switches, passwords can be configured either in plaintext or SHA-1 format. You can now configure the passwords in SHA-256 format also.
Syntax
switch (config)# [no] password non-plaintext-sha256
Description
The password is configured in SHA-256 format.
Limitations
- After password non-plaintext-sha256 is executed, the password cannot be converted back to plaintext; you must reconfigure the password.
- This feature is not applicable for passwords used in protocol handshaking (for example, SNMPv3, OSPF, and BFD).
- Configuring the password in SHA-256 format is not allowed if the password complexity feature is enabled.
-
If the passwords in the configuration are in SHA-256 format, downgrading to a version where this feature is not supported results in the deletion of the passwords. It is recommended that you disable this feature and reconfigure the password before downgrading.
-
If the password non-plaintext-sha256 feature is enabled, you are not allowed to enter the password in SHA-1 format.
The following three tables show the output from the show running-config command for each password storage format.
include credentials enabled |
encrypt-credentials enabled |
non-plaintext-sha256 enabled |
show running-config output (manager/operator/local-user) |
---|---|---|---|
No |
No |
No |
password manager password operator aaa authentication local-user <username> group <groupname> |
No |
No |
Yes |
Manager and operator credentials are not displayed. aaa authentication local-user <username> group <groupname> |
No |
Yes |
No |
password manager password operator aaa authentication local-user <username> group <groupname> |
No |
Yes |
Yes |
Manager and operator credentials are not displayed. aaa authentication local-user <username> group <groupname> |
Yes |
No |
No |
password manager user-name <username> <SHA-1 password> password manager user-name <username> <SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
No |
Yes |
password manager user-name <username>sha256 <SHA-256 password> password manager user-name <username>sha256 <SHA-256 password> aaa authentication local-user <username> group <groupname> password <SHA-256 password> |
Yes |
Yes |
No |
encrypted-password manager user-name <username> <encrypted SHA-1 password> encrypted-password manager user-name <username> <encrypted SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
Yes |
Yes |
encrypted-password manager user-name <username> <encrypted SHA-256 password> encrypted-password manager user-name <username> <encrypted SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password> |
include credentials enabled |
encrypt-credentials enabled |
non-plaintext-sha256 enabled |
show running-config output (manager/operator/local-user) |
---|---|---|---|
Yes |
No |
No |
password manager user-name <username> sha-1 <SHA-1 password> password operator user-name <username> sha-1 <SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
No |
Yes |
Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled. |
Yes |
Yes |
No |
encrypted-password manager user-name <username> <encrypted SHA-1 password> encrypted-password manager user-name <username> <encrypted SHA-1 password> aaa authentication local-user <username> group <groupname> password sha1 <SHA-1 password> |
Yes |
Yes |
Yes |
Passwords cannot be configured using the sha1 option when non-plaintext sha256 is enabled. |
include credentials enabled |
encrypt-credentials enabled |
non-plaintext-sha256 enabled |
show running-config output (manager/operator/local-user) |
---|---|---|---|
Yes |
No |
No |
Manager and operator credentials are not displayed because SHA-1 passwords are not available. aaa authentication local-user <username> group <groupname> |
Yes |
No |
Yes |
password manager user-name <username> sha256 <SHA-256 password> password manager user-name <username> sha256 <SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password> |
Yes |
Yes |
No |
Manager and operator credentials are not displayed because SHA-1 passwords are not available. aaa authentication local-user <username> group <groupname> |
Yes |
Yes |
Yes |
encrypted-password manager user-name <username> <encrypted SHA-256 password> encrypted-password manager user-name <username> <encrypted SHA-256 password> aaa authentication local-user <username> group <groupname> password sha 256 <SHA-256 password> |