Access Security Guide K/KA/KB.15.15
Table 1 Switch storage states (continued)
No Include- Credentials
Executed
Include-Credentials
Disabled but ActiveEnabledFactory DefaultType
no credentials
displayed in config
Same as
includecredentials
stored in flash
displayed in config
not displayed in configRADIUS &
TACACS
keystrings
enabled— not
displayed in config
NOTE: When [no] include-credentials store-in-config command is executed, the switch is restored
to its default state and only stores one set of operator/manager passwords and SSH keys.
[no]include-credentials store-in-config option
The [no]include-credentials command disables include-credentials. Credentials continue
to be stored in the active and inactive configurations, but are not displayed in the config file.
When [no]include-credentials is used with the store-in-config option,
includecredentials is disabled and the credentials stored in the config files are removed.
The switch is restored to its default state and only stores one set of operator/manager passwords
and SSH keys. If you choose to execute the [no]include-credentials store-in-config
command, you are also presented with the option of setting new switch passwords.
You are queried about retaining the current SSH authorized keys on the switch. If you enter “y”,
the currently active authorized key files are renamed to the pre-include-credentials names, for
example:
/file/mgr_auth_keys.2 -> /file/mgr_auth_keys /
/file/authorized_keys.2 -> /file/authorized_keys
All remaining authorized keys files with an extension are deleted.
Figure 9 Example of [no] include-credentials store-in-config messages and options
Enabling the storage and display of security credentials
To enable the security settings, enter the include-credentials command.
Syntax:
[no] include-credentials [ radius-tacacs-only |
store-in-config ]
Enables the inclusion and display of the currently configured manager and operator
usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X
34 Configuring Username and Password Security