Pre-shared key on Cisco ASA55x0

Cisco devices store password crypted when “service password-encryption” is turned on. You should enable this on your network equipment.
You want to give imposters a hard time, so this is behavior you want.

Last week I found out a astonishing thing…

I configured a vpn on a Cisco ASA55x0. And misplaced the password.

I had two options;

  1. give the vpn a new pre-shared key,
  2. start a little search to find a loop hole. I decided the latter.

Show run or show start gives me, albeit in a decent way, the “finger“. The output is pre-shared key *, just an asterik nothing more nothing less. It gave the a gut feeling that pre-shared key a somewhere parsed and replaced by “*”. I know there is another way to read the config file.

more system:running-config

This did the trick. The proper pre-shared key was found after a little tinkering with pipe subcommands.

In hind sight; “show” parses the config file and replaces the password information. Whereas “more” does not parse the config file, it shows the content.

I do not know which software versions are affected. But I do know that you must keep access to the nodes restricted to the people and systems that  must have access. In other words: keep your config files and access to the config files safe.

This entry was posted in security. Bookmark the permalink.