Updating Local-User Database - Cisco ASR 5000 Series Administration Manual
Staros release 21.4
Hide thumbs
Also See for ASR 5000 Series:
- Product overview (992 pages) ,
- Installation manual (317 pages) ,
- Administration manual (234 pages)
Table of Contents
Advertisement
Configuring Local-User Administrative Users
Password Expired:
Locked:
Suspended:
Lockout on Pw Aging:
Lockout on Login Fail: Yes
Updating Local-User Database
Update the local-user (administrative) configuration by running the following Exec mode command. This
command should be run immediately after creating, removing or editing administrative users.
update local-user database
Updating and Downgrading the local-user Database
Prior to release 20.0, local-user passwords were hashed with the MD5 message digest-algorithm and saved
in the local-user database. In release 20. 0, PBKDF2 (Password Based Key Derivation Function - Version 2)
is now used to derive a key of given length, based on entered data, salt and number of iterations. Local-user
account passwords are hashed using the PBKDF2 method with a randomly generated salt coupled with a large
number of iterations to make password storage more secure.
When upgrading to release 20.0, existing user passwords in the local-user database are not automatically
upgraded from MD5 to PBKDF2 hashing (only hashed password values are stored). Since hash functions are
one-way, it is not possible to derive user passwords from the stored hash values. Thus it is not possible to
convert existing hashed passwords to strongly hashed passwords automatically.
To update the database, a Security Administrator must run the Exec mode update local-user database CLI
command. When this command is executed, StarOS reads the database from the /flash directory, reconstructs
the database in the new format, and writes it back to the disk.
The database upgrade process does not automatically convert MD5 hashed passwords into the PBKDF2
format. StarOS continues to authenticate users using the old encryption algorithm. It flags the users using the
old encryption algorithm with a "Weak Hash" flag. This flag appears in the output of the show local-user
[verbose] Exec mode CLI command. When users re-login with their credentials, StarOS verifies the entered
password using the MD5 algorithm, then creates a new hash using the PBKDF2 algorithm and then saves the
result in the database. StarOS then clears the "Weak Hash" flag for that user.
Since hash functions are one-way, it is not possible to convert PBKDF2 hashed passwords to the MD5
Important
format. The local-user database must be downgraded prior to reverting to StarOS releases prior to 20.0.
To downgrade the local-user database to use the MD5 hash algorithm, a Security Administrator must run the
Exec mode downgrade local-user database command. StarOS prompts for confirmation and requests the
Security Administrator to reenter a password. The entered password re-authenticates the user prior to executing
the downgrade command. After verification, the password is hashed using the appropriate old/weak encryption
algorithm and saved in the database to allow earlier versions of StarOS to authenticate the Security
Administrator.
The downgrade process does not convert PBKDF2 hashed passwords to MD5 format. The downgrade process
re-reads the database (from the /flash directory), reconstructs the database in the older format, and writes it
back to the disk. Since the PBKDF2 hashed passwords cannot be converted to the MD5 hash algorithm, and
earlier StarOS releases cannot parse the PBKDF2 encryption algorithm, StarOS suspends all those users
encrypted via the PBKDF2 algorithm. Users encrypted via the MD5 algorithm ("Weak Hash" flag) can continue
ASR 5500 System Administration Guide, StarOS Release 21.4
56
Yes
No
No
Yes
System Settings
Advertisement
Table of Contents
Troubleshooting
