Disabling password recovery

By stretch | Saturday, July 26, 2008 at 7:11 a.m. UTC

The decision by a San Francisco network admin to hold the city's network hostage has received a lot of media attention recently, but not much has been said about this was technically accomplished. The article linked above explains that the admin had disabled password recovery on key Cisco IOS devices:

According to an affidavit from James Ramsey, an inspector with the San Francisco Police Department, he and other investigators discovered dial-up and DSL modems that would allow an unauthorized connection to the FiberWAN. He also found that Childs had configured several of the Cisco devices with a command that would erase critical configuration data in the event that anyone tried to restore administrative access to the devices, something Ramsey saw as dangerous because no backup configuration files could be found.

Disabling the password recovery service prevents anyone with physical access to a device to obtain its configuration via the normal password recovery procedure. Although devices can be power-cycled normally and remain accessible with the right credentials, anyone attempting to perform password recovery is forced to wipe all configuration from the device before it can be utilized.

Clearly a dangerous command, it is hidden from the CLI context-sensitive help (at least in the IOS tested):

R1(config)# no service pass?
password-encryption  

Disabling password recovery:

R1(config)# no service password-recovery
WARNING:
Executing this command will disable password recovery me
chanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: y
R1(config)# ^Z
R1# reload
Proceed with reload? [confirm]

System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2002 by cisco Systems, Inc.
c3725 processor with 262144 Kbytes of main memory

Main memory is configured to 64 bit mode with parity disabled

Readonly ROMMON initialized

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
...

While disabling password recovery can add a valuable layer of security, always ensure you have secured backups stored elsewhere for any devices on which it is implemented.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Security

Comments


Tarun (guest)
August 7, 2008 at 5:38 p.m. UTC

You are right, it's a dangerous command to use, the DocCD though documents both disabling password recovery & then recovering from it (wiping out the config in the process)

Disabling password recovery

Recovering the device


Jim (guest)
April 9, 2009 at 9:52 p.m. UTC

You can still reset the router password , by opening the cases. I will not say more but it can be done.

Comments have closed for this article due to its age.