Deprecation of type 7 password and type 5 secret | TACACS+ and RADIUS configuration | System Setup and Software Installation Guide for Cisco NCS 1010, IOS XR Releases

This section provides details about the deprecation of type 7 password and type 5 secret for Cisco NCS 1010. Use it to review password storage behavior for AAA configuration.

Use this reference to review deprecation of type 7 password and type 5 secret.

Password configuration options before Release 24.4.1

Until Release 24.4.1, there were two options for configuring a password:
- Password: Uses Type 7 encryption to store the password.
- Secret: Supports Type 5, 8, 9, or 10 hashing algorithms to store the password securely.
Deprecation notice

Starting from the Release 24.4.1, the use of Type 7 password and Type 5 secret are deprecated due to security concerns. The deprecation process commences from the Release 24.4.1. We expect the full deprecation in a future release. We recommend using the default option, which is Type 10 secret.
- #depracation-of-password__section_x5q_wm4_4dc
- #depracation-of-password__section_msp_v44_4dc
- #depracation-of-password__section_udk_2p4_4dc
- #depracation-of-password__aaa-passwoed
- #depracation-of-password__section
- #depracation-of-password__masked-secret
password
The password options available in CLI from the Release 24.4.1:
```
RP/0/RP0/CPU0:ios(config-un)#password ?
LINE The type 7 password followed by '7 ' OR SHA512-based password (deprecated, use 'secret')
```
Changes:
- All the options that were present until the Release 24.4.1are removed except LINE (to accept cleartext).
- During upgrade: Any configuration using the Type 7 password configuration is automatically converted to Type 10 secret.
- Post-upgrade: You can still use the Type 7 password configurations option after new commits, but the password will be stored as Type 10 secret.
- New syslog has been added to indicate the deprecation process:
- ```
%SECURITY-PSLIB-4-DEPRECATED_PASSWORD_TYPE : The password configuration is deprecated.
 Converting it to a Type 10 secret for user <user name>.
```
- show running configuration command output before upgrade:
- ```
username example
password 7 106D000A0618
!
```
- show running configuration command output post-upgrade:
- ```
username example
Cisco Confidential
secret 10 $6$P53pb/FFxNIT4b/.$yVakako4fp9PZiIYYh1xS0.W6b/yPrSyC8j4gLs6xli57iClOryPXyN9y8yojRD2nhAWb9pjr/WAIhbXqq8st.
!
```
masked-password
The masked-password options available in CLI from the Release 24.4.1:
```
RP/0/RP0/CPU0:ios(config-un)#masked-password ?
0 Specifies a cleartext password will follow
clear Config deprecated. Will be removed in 7.7.1. Specify '0' instead.
<cr> The cleartext user password
```
Changes:
- The options 7 and encrypted that were present until the Release 24.4.1 are removed.
- During upgrade: Any configuration using the Type 7 password configuration is automatically converted to Type 10 secret.
- Post-upgrade: Masked-password is an alternate method of configuring the password. You can still use the masked-password keyword with a clear string after new commits, but the password will be stored as Type 10 secret.
- New syslog has been added to indicate the deprecation process:
- ```
%SECURITY-PSLIB-4-DEPRECATED_PASSWORD_TYPE : The password configuration is deprecated.
 Converting it to a Type 10 secret for user <user name>.
```
- show running configuration command output before upgrade:
- ```
username example
password 7 106D000A0618
!
```
- show running configuration command output post-upgrade:
- ```
username example
Cisco Confidential
secret 10 $6$P53pb/FFxNIT4b/.$yVakako4fp9PZiIYYh1xS0.W6b/yPrSyC8j4gLs6xli57iClOryPXyN9y8yojRD2nhAWb9pjr/WAIhbXqq8st.
!
```
password-policy
The password-policy options available in CLI from the Release 24.4.1:

RP/0/RP0/CPU0:ios(config-un)#password-policy ?
WORD Specify the password policy name

RP/0/RP0/CPU0:ios(config-un)#password-policy abcd password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies that an encrypted password will follow
LINE The UNENCRYPTED (cleartext) user password
clear Config deprecated. Will be removed in 7.7.1. Specify '0' instead.
encrypted Config deprecated. Will be removed in 7.7.1. Specify '7' instead.

Changes:

All the options that were present until 24.4.1are removed except LINE (to accept cleartext).
During upgrade: Any configuration using the Type 7 password configuration is automatically converted to Type 10 secret.
Post-upgrade: You can still use the password-policy configurations option after new commits, but the it will be stored as Type 10 secret.

New syslog has been added to indicate the deprecation process:

%SECURITY-PSLIB-4-DEPRECATED_PASSWORD_TYPE : The password configuration is deprecated.
 Converting it to a Type 10 secret for user <username>.

show running configuration command output before upgrade:

username example
password-policy abcd password 7 106D000A0618
!

show running configuration command output post-upgrade:

username example
secret 10 $6$P53pb/FFxNIT4b/.$yVakako4fp9PZiIYYh1xS0.W6b/yPrSyC8j4gLs6xli57iClOryPXyN9y8yojRD2nhAWb9pjr/WAIhbXqq8st.
!
!

aaa password-policy
The aaa password-policy options available in CLI from the Release 24.4.1:

RP/0/RP0/CPU0:ios(config)#aaa password-policy abcd
RP/0/RP0/CPU0:ios(config-pp)#?
min-char-change Number of characters change required between old and new passwords (deprecated, will be removed in 25.3.1)
restrict-password-advanced Advanced restrictions on new password (deprecated, will be removed in 25.3.1)
restrict-password-reverse Restricts the password to be same as reversed old password (deprecated, will be removed in 25.3.1)

Changes:

The options min-char-change, restrict-password-advanced, and restrict-password-reverse that were present until the Release 24.4.1 are deprecated.
During upgrade: These deprecated configurations do not go through any change during upgrade.
Post-upgrade: These deprecated keywords do not take effect when configured post-upgrade.
New syslog have been added to indicate the deprecation process:

%SECURITY-LOCALD-4-DEPRECATED_PASSWORD_POLICY_OPTION : The password policy option 'min-char-change' is deprecated. 
Password/Secret will not be checked against this option now.

%SECURITY-LOCALD-4-DEPRECATED_PASSWORD_POLICY_OPTION : The password policy option 'restrict-password-reverse' is deprecated.
 Password/Secret will not be checked against this option now.

%SECURITY-LOCALD-4-DEPRECATED_PASSWORD_POLICY_OPTION : The password policy option 'restrict-password-advanced' is deprecated. 
Password/Secret will not be checked against this option now.

show running configuration command output before upgrade:

aaa password-policy abcd
lower-case 3
min-char-change 1
restrict-password-reverse
restrict-password-advanced
!

show running configuration command output post-upgrade:

aaa password-policy abcd
lower-case 3
min-char-change 1
restrict-password-reverse
restrict-password-advanced
!

secret
The secret options available in CLI from the Release 24.4.1:

RP/0/RP0/CPU0:ios(config-un)#secret ?
0 Specifies a cleartext password will follow
10 Specifies that SHA512-based password will follow
8 Specifies that SHA256-based password will follow
9 Specifies that Scrypt-based password will follow
LINE The cleartext user password

RP/0/RP0/CPU0:ios(config-un)#secret 0 enc-type ?
<8-10> Specifies which algorithm to use. Only 8,9,10 supported [Note: Option ‘5’ is not available to use from 24.4]

Changes:

The options 5 and encrypted are removed.
During upgrade: Configurations using Type 5 secret will remain unchanged.
Post-upgrade: Though the keyword 5 has been deprecated, you can still apply the existing configurations using Type 5 secret.

New syslog has been added to indicate the deprecation process:

%SECURITY-LOCALD-2-DEPRECATED_SECRET_TYPE : Type 5 secret is deprecated. 
Please use the 'secret' keyword with option type 10 for user.

show running configuration command output before upgrade:
```
username example
secret 5 $1$kACo$2RtpcwyiRuRB/DhWzabfU1
!
!
```
show running configuration command output post-upgrade:

username example
secret 5 $1$kACo$2RtpcwyiRuRB/DhWzabfU1
!
!

masked-secret
The masked-secret options available in CLI from the Release 24.4.1:

RP/0/RP0/CPU0:ios(config-un)#masked-secret ?
0 Specifies a cleartext password will follow
Cisco Confidential
10 Specifies that SHA512-based password will follow
8 Specifies that SHA256-based password will follow
9 Specifies that Scrypt-based password will follow
clear Config deprecated. Will be removed in 7.7.1. Specify '0' instead.
<cr> The cleartext user password

Changes:

The options 5 and encrypted are removed.
During upgrade: Configurations using masked-secret with Type 5 will remain unchanged.
Post-upgrade: Though the keyword 5 has been deprecated, you can still apply the existing configurations using Type 5 masked secret.

New syslog has been added to indicate the deprecation process:

%SECURITY-LOCALD-2-DEPRECATED_SECRET_TYPE : Type 5 secret is deprecated. 
Please use the 'secret' keyword with option type 10 for user.

show running configuration command output before upgrade:
```
username example
secret 5 $1$kACo$2RtpcwyiRuRB/DhWzabfU1
!
!
```
show running configuration command output post-upgrade:

username example
secret 5 $1$kACo$2RtpcwyiRuRB/DhWzabfU1
!
!

Special use cases
- Use case 1: Configurations using both Type 7 password and secret with 8, 9, or 10 hashing, for the same user
  - During upgrade:
    - For the first 3000 username configurations, the password configuration will be rejected, and the secret configuration will remain unchanged.
    - For the rest of the username configurations, the original secret configuration will be rejected, and the password will be converted to Type 10 secret.
  - Post-upgrade:
    - For a new username configured, or the username that is already present before the upgrade, the password configuration will be rejected.
    - New syslog has been added to indicate the deprecation process:
    - %SECURITY-PSLIB-4-SECRET_CONFIG_PRESENT : The password configuration is deprecated. Once secret is configured, cannot use password config for user <user name> at index <x> now.
    - where 'x' is a number representing the index.
Use case 2: Configurations using both Type 7 password and Type 5 secret, for the same user
- During upgrade:
  - For any username configuration, the original Type 5 secret configuration will be rejected, and the password will be converted to Type 10 secret.
- Post-upgrade:
  - For a new username configured, or the username that is already present before the upgrade, the password configuration will be converted to Type 10 secret.
  - New syslog has been added to indicate the deprecation process:
  - ```
  %SECURITY-PSLIB-4-DEPRECATED_PASSWORD_TYPE : The password configuration is deprecated.
   Converting it to a Type 10 secret for user <username>.
```