Have you been looking for a better way to model your network infrastructure? Check out what we're doing with NetBox! Open source and widely extensible, NetBox has enabled thousands of organizations to automate their networks like never before possible.

Disabling password recovery

By stretch | Saturday, July 26, 2008 at 7:11 a.m. UTC

The decision by a San Francisco network admin to hold the city's network hostage has received a lot of media attention recently, but not much has been said about this was technically accomplished. The article linked above explains that the admin had disabled password recovery on key Cisco IOS devices:

According to an affidavit from James Ramsey, an inspector with the San Francisco Police Department, he and other investigators discovered dial-up and DSL modems that would allow an unauthorized connection to the FiberWAN. He also found that Childs had configured several of the Cisco devices with a command that would erase critical configuration data in the event that anyone tried to restore administrative access to the devices, something Ramsey saw as dangerous because no backup configuration files could be found.

Disabling the password recovery service prevents anyone with physical access to a device to obtain its configuration via the normal password recovery procedure. Although devices can be power-cycled normally and remain accessible with the right credentials, anyone attempting to perform password recovery is forced to wipe all configuration from the device before it can be utilized.

Clearly a dangerous command, it is hidden from the CLI context-sensitive help (at least in the IOS tested):

R1(config)# no service pass?
password-encryption  

Disabling password recovery:

R1(config)# no service password-recovery
WARNING:
Executing this command will disable password recovery me
chanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: y
R1(config)# ^Z
R1# reload
Proceed with reload? [confirm]

System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2002 by cisco Systems, Inc.
c3725 processor with 262144 Kbytes of main memory

Main memory is configured to 64 bit mode with parity disabled

Readonly ROMMON initialized

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
...

While disabling password recovery can add a valuable layer of security, always ensure you have secured backups stored elsewhere for any devices on which it is implemented.

Posted in Security

Support PacketLife by buying stuff you don't need!

Comments


Tarun
August 7, 2008 at 5:38 p.m. UTC

You are right, it's a dangerous command to use, the DocCD though documents both disabling password recovery & then recovering from it (wiping out the config in the process)

Disabling password recovery

Recovering the device


Jim
April 9, 2009 at 9:52 p.m. UTC

You can still reset the router password , by opening the cases. I will not say more but it can be done.

Comments have closed for this article due to its age.