Disabling password recovery
By stretch | Saturday, July 26, 2008 at 7:11 a.m. UTC
The decision by a San Francisco network admin to hold the city's network hostage has received a lot of media attention recently, but not much has been said about this was technically accomplished. The article linked above explains that the admin had disabled password recovery on key Cisco IOS devices:
According to an affidavit from James Ramsey, an inspector with the San Francisco Police Department, he and other investigators discovered dial-up and DSL modems that would allow an unauthorized connection to the FiberWAN. He also found that Childs had configured several of the Cisco devices with a command that would erase critical configuration data in the event that anyone tried to restore administrative access to the devices, something Ramsey saw as dangerous because no backup configuration files could be found.
Disabling the password recovery service prevents anyone with physical access to a device to obtain its configuration via the normal password recovery procedure. Although devices can be power-cycled normally and remain accessible with the right credentials, anyone attempting to perform password recovery is forced to wipe all configuration from the device before it can be utilized.
Clearly a dangerous command, it is hidden from the CLI context-sensitive help (at least in the IOS tested):
R1(config)# no service pass? password-encryption
Disabling password recovery:
R1(config)# no service password-recovery WARNING: Executing this command will disable password recovery me chanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? [yes/no]: y R1(config)# ^Z R1# reload Proceed with reload? [confirm] System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 2002 by cisco Systems, Inc. c3725 processor with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled Readonly ROMMON initialized PASSWORD RECOVERY FUNCTIONALITY IS DISABLED ...
While disabling password recovery can add a valuable layer of security, always ensure you have secured backups stored elsewhere for any devices on which it is implemented.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Security
August 7, 2008 at 5:38 p.m. UTC
April 9, 2009 at 9:52 p.m. UTC
You can still reset the router password , by opening the cases. I will not say more but it can be done.