Type the password in as "enable secret yourpasshere" one time, and look
at the config. It will probably show type 4 instead of type 5 after you
do that. Newer passwords are using SHA256 hashing instead of MD5. Once
you've entered it and have the type 4 hash, you can copy/paste that into
your config scripts and be fine as long as the devices are all running
new enough code to support it. Not sure what FN calls it, but the IOS
Security command reference at
http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-[..] lists that it was added in 15.1(4)M code for IOS, 15.0(1)S, and IOS XE
3.1S. In IOS XE 3.3.0SG they mention that type 5 was removed.
They also mention the caveat that if you downgrade a device with SHA256
enable to one without it, the enable secret will be removed, which might
lead to some interesting password recoveries if you roll this out
everywhere and have to downgrade to older code due to bugs.
PAWS looks interesting, but is there any benefit to an environment with
just a few servers? I can certainly see the benefit of it for a service
provider managing the upgrades for a large number of CUPS/CUC
installations, but with a single pair of servers for each, is there any
benefit to it?
Second, isn't this the type of thing that would be rolled into UCMS?
Seems like something that would be aimed at people who want a management