Downgrading From Release 20.0; Software Upgrade Methods - Cisco ASR 5000 Administration Manual

Software Management Operations
not recognize the 44-character chassis ID. If the chassis is subsequently downgraded to Release 14, a new
16-character chassis ID will be generated. To accommodate the old key format, you must save the configuration
file in pre-v12.2 format before the downgrade. If you attempt to load a v15 configuration file on the downgraded
chassis, StarOS will not be able to decrypt the password/secrets stored in the configuration file.

Downgrading from Release 20.0

Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved
in the database. In release 20. 0, PBKDF2 (Password Based Key Derivation Function - Version 2) is now
used to derive a key of given length, based on entered data, salt and number of iterations. Local-user account
passwords are hashed using the PBKDF2 method with a randomly generated salt coupled with a large number
of iterations to make password storage more secure.
Since hash functions are one-way, it is not possible to convert PBKDF2 hashed passwords to the MD5 format.
The local-user database must be downgraded prior to reverting to StarOS releases prior to 20.0.
To downgrade the local-user database to use the MD5 hash algorithm, a Security Administrator must run the
Exec mode downgrade local-user database command. StarOS prompts for confirmation and requests the
Security Administrator to reenter a password. The entered password re-authenticates the user prior to executing
the downgrade command. After verification, the password is hashed using the appropriate old/weak encryption
algorithm and saved in the database to allow earlier versions of StarOS to authenticate the Security
Administrator.
The downgrade process does not convert PBKDF2 hashed passwords to MD5 format. The downgrade process
re-reads the database (from the /flash directory), reconstructs the database in the older format, and writes it
back to the disk. Since the PBKDF2 hashed passwords cannot be converted to the MD5 hash algorithm, and
earlier StarOS releases cannot parse the PBKDF2 encryption algorithm, StarOS suspends all those users
encrypted via the PBKDF2 algorithm. Users encrypted via the MD5 algorithm ("Weak Hash" flag) can continue
to login with their credentials. After the system comes up with the earlier StarOS release, suspended users
can be identified in the output of the show local-user [verbose]command.
To reactivate suspended users a Security Administrator can:
• Set temporary passwords for suspended users, using the Exec mode password change local-user
• Reset the suspend flag for users, using the Configuration mode no suspend local-user username

Software Upgrade Methods

Occasional software upgrades are required to add features and/or functionality, and to correct any previous
defects. There are two software upgrade methods used to add features, functionality, and correct known
software defects. They are:
•
•
A brief overview accompanies each upgrade procedure.
username command.
command.
On-Line Software Upgrade, on page 134
Off-line Software Upgrade, on page 140
ASR 5000 System Administration Guide, StarOS Release 21.1
Software Upgrade Methods
133