System Settings
Important
Verify Configuration Changes
You can verify changes made related to the separation of authentication methods via the Exec mode show
configuration command. After saving the configuration changes, run show configuration |grep noconsole
and show configuration |grep novty. The output of these commands will indicate any changes you have
made.
Configuring a Chassis Key
A chassis key should be configured for each system. This key is used to decrypt encrypted passwords found
in configuration files.
Overview
The chassis key is used to encrypt and decrypt encrypted passwords in the configuration file. If two or more
chassis are configured with the same chassis key value, the encrypted passwords can be decrypted by any of
the chassis sharing the same chassis key value. As a corollary to this, a given chassis key value will not be
able to decrypt passwords that were encrypted with a different chassis key value.
The chassis key is used to generate the chassis ID which is stored in a file and used as the master key for
protecting sensitive data (such as passwords and secrets) in configuration files
For release 15.0 and higher, the chassis ID is an SHA256 hash of the chassis key. The chassis key can be set
by users through a CLI command or via the Quick Setup Wizard. If the chassis ID does not exist, a local MAC
address is used to generate the chassis ID.
For release 19.2 and higher, the user must explicitly set the chassis key through the Quick Setup Wizard or
CLI command. If it is not set, a default chassis ID using the local MAC address will not be generated. In the
absence of a chassis key (and hence the chassis ID), sensitive data will not appear in a saved configuration
file. The chassis ID is the SHA256 hash (encoded in base36 format) of the user entered chassis key plus a
32-byte secure random number. This assures that the chassis key and chassis ID have 32-byte entropy for key
security.
If a chassis ID is not available encryption and decryption for sensitive data in configuration files will not
work.
The local-user allow-aaa-authentication noconsole command takes precedence. In that case, all
AAA-based users cannot access the Console line.
ASR 5000 System Administration Guide, StarOS Release 21.1
Verify Configuration Changes
61