Downgrading From Release 20.0 - Cisco ASR 5000 Series Administration Manual

Downgrading from Release 20.0

Downgrading from Release 20.0
Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved
in the database. In release 20. 0, PBKDF2 (Password Based Key Derivation Function - Version 2) is now
used to derive a key of given length, based on entered data, salt and number of iterations. Local-user account
passwords are hashed using the PBKDF2 method with a randomly generated salt coupled with a large number
of iterations to make password storage more secure.
Since hash functions are one-way, it is not possible to convert PBKDF2 hashed passwords to the MD5 format.
The local-user database must be downgraded prior to reverting to StarOS releases prior to 20.0.
To downgrade the local-user database to use the MD5 hash algorithm, a Security Administrator must run the
Exec mode downgrade local-user database command. StarOS prompts for confirmation and requests the
Security Administrator to reenter a password. The entered password re-authenticates the user prior to executing
the downgrade command. After verification, the password is hashed using the appropriate old/weak encryption
algorithm and saved in the database to allow earlier versions of StarOS to authenticate the Security
Administrator.
The downgrade process does not convert PBKDF2 hashed passwords to MD5 format. The downgrade process
re-reads the database (from the /flash directory), reconstructs the database in the older format, and writes it
back to the disk. Since the PBKDF2 hashed passwords cannot be converted to the MD5 hash algorithm, and
earlier StarOS releases cannot parse the PBKDF2 encryption algorithm, StarOS suspends all those users
encrypted via the PBKDF2 algorithm. Users encrypted via the MD5 algorithm ("Weak Hash" flag) can continue
to login with their credentials. After the system comes up with the earlier StarOS release, suspended users
can be identified in the output of the show local-user [verbose]command.
To reactivate suspended users a Security Administrator can:
• Set temporary passwords for suspended users, using the Exec mode password change local-user
• Reset the suspend flag for users, using the Configuration mode no suspend local-user username
Off-line Software Upgrade
An off-line software upgrade can be performed for any system, upgrading from any version of operating
system software to any version, regardless of version number. This process is considered off-line because
while many of the steps can be performed while the system is currently supporting sessions, the last step of
this process requires a reboot to actually apply the software upgrade.
This procedure assumes that you have a CLI session established and are placing the new operating system
image file onto the local file system. To begin, make sure you are at the Exec mode prompt:
[local]
Configure a Newcall Policy
Configure a newcall policy from the Exec mode to meet your service requirements. When enabled the policy
redirects or rejects new calls in anticipation of the system reload that completes the upgrade process. This
reduces the amount of service disruption to subscribers caused by the system reload that completes the upgrade.
ASR 5500 System Administration Guide, StarOS Release 21.4
132
username command.
command.
host_name
#
Software Management Operations