Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.3 Special and Early Deployments

No Service Password-Recovery

Downloads

Table Of Contents

No Service Password-Recovery

Contents

Prerequisites for No Service Password-Recovery

Information About No Service Password-Recovery

Cisco Password Recovery Procedure

Configuration Registers and System Boot Configuration

How to Enable No Service Password-Recovery

Upgrading the ROMMON Version

Verifying the Upgraded ROMMON Version

Enabling No Service Password-Recovery

Prerequisites

Recovering a Device

Examples

Configuration Examples for No Service Password-Recovery

Disabling Password Recovery: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

service password-recovery


No Service Password-Recovery

The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.

Feature History for the No Service Password-Recovery Feature

Release
Modification

12.3(8)YA

This feature was introduced.

12.3(14)T

This feature was integrated into Cisco IOS Release 12.3(14)T.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for No Service Password-Recovery

Information About No Service Password-Recovery

How to Enable No Service Password-Recovery

Configuration Examples for No Service Password-Recovery

Additional References

Command Reference

Prerequisites for No Service Password-Recovery

You are required to download and install ROM monitor (ROMMON) version 12.2(11)YV1 before you can use this feature.

Information About No Service Password-Recovery

To configure the No Service Password-Recovery feature, you should understand the following concepts:

Cisco Password Recovery Procedure

Configuration Registers and System Boot Configuration

Cisco Password Recovery Procedure

The Cisco IOS software provides a password recovery procedure that relies upon gaining access to ROMMON mode using the Break key during system startup. In ROMMON mode, the router software can be reloaded at which time prompting a new system configuration that includes a new password.

The current password recovery procedure enables anyone with console access, the ability to access the router and its network. The No Service Password-Recovery feature prevents the completion of the Break key sequence and the entering of ROMMON mode during system startups and reloads.

Configuration Registers and System Boot Configuration

The lowest four bits of the configuration register (bits 3, 2, 1, and 0) form the boot field. The boot field determines if the router boots manually from ROM or automatically from Flash or the network. For example, when the configuration register boot field value is set to any value from 0x2 to 0xF, the router uses the boot field value to form a default boot filename for autobooting from a network server.

Bit 6, when set, ignores the startup configuration, while bit 8 enables a break. To use this feature, the configuration register must be set to autoboot before it can be enabled. Any other configuration register setting will prevent the feature from being enabled.

Note By default, the no confirm prompt and message are not displayed after reloads.

How to Enable No Service Password-Recovery

This section contains the following procedures:

Upgrading the ROMMON Version (required)

Verifying the Upgraded ROMMON Version (optional)

Enabling No Service Password-Recovery (required)

Recovering a Device (required)

Upgrading the ROMMON Version

If your router or access server does not find a valid system image to load, the system will enter ROMMON mode. ROMMON mode can also be accessed by interrupting the boot sequence during startup.

Another method for entering ROMMON mode is to set the configuration register so that the router automatically enters ROMMON mode when it boots. For information about setting the configuration register value, refer to the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3.

Perform this task to upgrade your version of ROMMON.

SUMMARY STEPS

1. reload

2. set tftp-file ip-address ip-subnet-mask default-gateway tftp-server

3. sync

4. tftpdnld -u

5. boot

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

reload

Example:

Router> reload

Reloads a Cisco IOS image. After issuing this command and responding to the system prompts as necessary, the system will begin reloading the system software image.

While the system is reloading, press the Break key or a Break key-combination during the first 60 seconds of system startup. Pressing the Break key interrupts the boot sequence and puts the router into ROMMON mode.

Note The default Break key combination is Ctrl-C, but this may be configured differently on your system.

Step 2 

set tftp-file ip-address ip-subnet-mask default-gateway tftp-server

Example:

ROMMON> set tftpabc 10.10.0.0 255.0.0.0 10.1.1.0 10.29.32.0

Displays all the created variables. The arguments are as follows:

tftp-file—Location of the new ROMMON image on the TFTP server. The length of the filename is a maximum of 45 characters.

ip-address—IP address on the router to connect to the TFTP server.

ip-subnet-mask—IP subnet mask of the router.

default-gateway—IP address of the gateway of the TFTP server.

tftp-server—IP address of the TFTP server from which the image will be downloaded.

Note This command is not supported on the Cisco 800 series routers.

Step 3 

sync

Example:

ROMMON> sync

Saves the changes to the image.

Step 4 

tftpdnld -u

Example:

ROMMON> tftpdnld -u

Downloads the new ROMMON image from the TFTP server. Reset if prompted.

Step 5 

boot

Example:

ROMMON> boot

Boots the router with the Cisco IOS image in flash memory.

Verifying the Upgraded ROMMON Version

To verify that you have downloaded a new version of ROMMON, use the show version command: 

Router# show version


Cisco IOS Software, C828 Software (C828-K9OS&6-M), Version 12.3 (20040702:094716)

[userid 168]


Copyright (c) 1986-2004 by Cisco Systems, Inc.


ROM: System Bootstrap, Version 12.2(11)YV1, Release Software (fc1)


Router uptime is 22 minutes

System returned to ROM by reload

.

.

.

Enabling No Service Password-Recovery

Perform this task to enable the No Service Password-Recovery feature.

Note As a precaution, a valid Cisco IOS image should reside in flash memory before this feature is enabled.

If you plan to enter the no service password-recovery command, we recommend that you save a copy of the system configuration file in a location away from the switch or router. If you are using a switch that is operating in VTP transparent mode, we recommend that you also save a copy of the vlan.dat file in a location away from the switch.

Prerequisites

Always disable the feature before downgrading to an image that does not support this feature, because you cannot reset after the downgrade.

The configuration register boot bit must be enabled so that there is no way to break into ROMMON when this command is configured. Cisco IOS software should prevent the user from configuring the boot field in the config register.

Bit 6, which ignores the startup configuration and bit 8, which enables a break, should be set.

The Break key should be disabled while the router is booting up and disabled in Cisco IOS software when this feature is enabled.

SUMMARY STEPS

1. enable

2. show version

3. configure terminal

4. config-register value

5. no service password-recovery

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show version

Example:

Router# show version

Displays information about the system software, including configuration register settings. The configuration register must be set to autoboot before entering the no service password-recovery command.

Step 3 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 4 

config-register value

Example:

Router(config)# config-register 0x2012

(Optional) Changes the configuration register setting.

If necessary, change the configuration register setting so the router is set to autoboot.

Step 5 

no service password-recovery

Example:

Router(config)# no service password-recovery

Disables password-recovery capability at the system console.

Step 6 

exit

Example:

Router(config)# exit

Exits global configuration mode and returns to EXEC mode.

Recovering a Device

To recover a device once the No Service Password-Recovery feature has been enabled, press the Break key within 5 seconds after the image decompresses during the boot. You are prompted to confirm the Break key action. When you confirm the action, the startup configuration is erased, the password-recovery procedure is enabled, and the router boots with the factory default configuration.

If you do not confirm the Break key action, the router boots normally with the No Service Password-Recovery feature enabled.

Examples

This section provides the following examples of the process:

Confirmed Break

Unconfirmed Break

Confirmed Break 

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

program load complete, entry point: 0x80013000, size: 0x8396a8

Self decompressing the image : 
######################################################################

###################################################################### [OK]

!The 5 second window starts now.


telnet> send break

telnet> send break

telnet> send break


Restricted Rights Legend


Use, duplication, or disclosure by the Government is subject to restrictions as set forth 
in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR 
sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer 
Software clause at DFARS sec. 252.227-7013.


Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706


Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(8)YA

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Fri 13-Aug-04 03:21

Image text-base: 0x80013200, data-base: 0x81020514


PASSWORD RECOVERY IS DISABLED.


Do you want to reset the router to factory default configuration and proceed [y/n] ? 

!The user enters "Y" here.


Reset router configuration to factory default.


This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption.


Importers, exporters, distributors and users are responsible for compliance with U.S. and 
local country laws. By using this product you agree to comply with applicable laws and 
regulations. If you are unable to comply with U.S. and local laws, return this product 
immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to export@cisco.com.


Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.

Processor board ID 0000 (1314672220), with hardware revision 0000 CPU rev number 7

3 Ethernet interfaces

4 FastEthernet interfaces

128K bytes of NVRAM.

24576K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)


         --- System Configuration Dialog ---


Would you like to enter the initial configuration dialog? [yes/no]: no

!Start up configuration is erased.


SETUP: new interface FastEthernet1 placed in "up" state

SETUP: new interface FastEthernet2 placed in "up" state

SETUP: new interface FastEthernet3 placed in "up" state

SETUP: new interface FastEthernet4 placed in "up" state


Press RETURN to get started!


Router>

Router> enable

Router# show startup configuration


startup-config is not present


Router# show running-config | incl service


no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


!The "no service password-recovery" is disabled.

Unconfirmed Break 

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED


telnet> send break

program load complete, entry point: 0x80013000, size: 0x8396a8

Self decompressing the image : 
##################################################################################### [OK]


telnet> send break

telnet> send break


Restricted Rights Legend


Use, duplication, or disclosure by the Government is subject to restrictions as set forth 
in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR 
sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.


Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706


Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(8)YA

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Fri 13-Aug-04 03:21

Image text-base: 0x80013200, data-base: 0x81020514


PASSWORD RECOVERY IS DISABLED.

Do you want to reset the router to factory default configuration and proceed [y/n] ? 

!The user enters "N" here.


This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption.


Importers, exporters, distributors and users are responsible for compliance with U.S. and 
local country laws. By using this product you agree to comply with applicable laws and 
regulations. If you are unable to comply with U.S. and local laws, return this product 
immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to export@cisco.com.

Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.

Processor board ID 0000 (1314672220), with hardware revision 0000

CPU rev number 7

3 Ethernet interfaces

4 FastEthernet interfaces

128K bytes of NVRAM.

24576K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)


Press RETURN to get started!

!The Cisco IOS software boots as if it is not interrupted.


Router> enable

Router#

Router# show startup config


Using 984 out of 131072 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service password-recovery

!

hostname Router

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

!

no aaa new-model

ip subnet-zero

!

ip ips po max-events 100

no ftp-server write-enable

!

interface Ethernet0

 no ip address

 shutdown

!

interface Ethernet1

 no ip address

 shutdown

 duplex auto

!

interface Ethernet2

 no ip address

 shutdown

!

interface FastEthernet1

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet2

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet3

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet4

 no ip address

 duplex auto

 speed auto

!

ip classless

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

 no modem enable

 transport preferred all

 transport output all

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end


Router# show running-config | incl service


no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service password-recovery

end

Configuration Examples for No Service Password-Recovery

This section provides the following configuration example:

Disabling Password Recovery: Example

Disabling Password Recovery: Example

The following example shows how to obtain the configuration register setting (which is set to autoboot), disable password recovery capability, and then verify that the configuration persists through a system reload: 

Router# show version


Cisco Internetwork Operating System Software 

IOS (tm) 5300 Software (C7200-P-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Wed 05-Mar-04 10:16 by xxx

Image text-base: 0x60008954, data-base: 0x61964000


ROM: System Bootstrap, Version 12.3(8)YA, RELEASE SOFTWARE (fc1)

.

.

.

125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).

8192K bytes of Flash internal SIMM (Sector size 256K).

Configuration register is 0x2102


Router# configure terminal


Router(config)# no service password-recovery


WARNING:

Executing this command will disable the password recovery mechanism.

Do not execute this command without another plan for password recovery.


Are you sure you want to continue? [yes/no]: yes

.

.

.

Router(config)# exit

Router#

Router# reload


Proceed with reload? [confirm] yes


00:01:54: %SYS-5-RELOAD: Reload requested

System Bootstrap, Version 12.3...

Copyright (c) 1994-2004 by cisco Systems, Inc.

C7400 platform with 262144 Kbytes of main memory


PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

.

.

.

Additional References

The following sections provide references related to the No Service Password-Recovery feature.

Related Documents

Related Topic
Document Title

Setting, changing, and recovering lost passwords

Refer to the "Configuring Passwords and Privileges" chapter in the Cisco IOS Security Configuration Guide, Release 12.3

Loading system images and rebooting

Refer to the "File Management" section in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3

Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Refer to the Cisco IOS Security Command Reference, Release 12.3T


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents one new command only:

service password-recovery

service password-recovery

To enable password recovery capability, use the service password-recovery command in global configuration mode. To disable password recovery capability, use the no service password-recovery command.

service password-recovery

no service password-recovery

Syntax Description

This command has no arguments or keywords.

Defaults

Password recovery capability is enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)YA

This command was introduced.

12.3(14)T

This command was integrated into Cisco IOS Release 12.3(14)T.


Usage Guidelines

Note This command is not available on all platforms. Use Feature Navigator to ensure that it is available on your platform.

If you plan to disable the password recovery capability with the the no service password-recovery command, we recommend that you save a copy of the system configuration file in a location away from the switch or router. If you are using a switch that is operating in VTP transparent mode, we recommend that you also save a copy of the vlan.dat file in a location away from the switch.

Caution Entering the no service password-recovery command at the command line disables password recovery. Always disable this command before downgrading to an image that does not support password recovery capability, because you cannot recover the password after the downgrade.

The configuration register boot bit must be enabled so that there is no way to break into ROMMON when this command is configured. Cisco IOS software should prevent the user from configuring the boot field in the config register.

Bit 6, which ignores the startup configuration, and bit 8, which enables a break should be set.

The Break key should be disabled while the router is booting up and disabled in Cisco IOS software when this feature is enabled.

It may be necessary to use the config-register global configuration command to set the configuration register to autoboot before entering the no service password-recovery command. The last line of the show version EXEC command displays the configuration register setting. Use the show version EXEC command to obtain the current configuration register value, configure the router to autoboot with the config-register command if necessary, then enter the no service password-recovery command.

Once disabled, the following configuration register values are invalid for the no service password-recovery command:

0x0

0x2002 (bit 8 restriction)

0x0040 (bit 6)

0x8000 (bit 15)

Catalyst Switch Operation

Use the service password-recovery command to reenable the password-recovery mechanism (the default). This mechanism allows a user with physical access to the switch to hold down the Mode button and interrupt the boot process while the switch is powering up and to assign a new password. Use the no form of this command to disable the password-recovery capability.

When the password-recovery mechanism is disabled, interrupting the boot process is allowed only if the user agrees to set the system back to the default configuration. Use the show version EXEC command to verify if password recovery is enabled or disabled on a switch.

The service password-recovery command is valid only on Catalyst 3550 Fast Ethernet switches; it is not available for Gigabit Ethernet switches.

Examples

Router Configuration Examples

The following example shows how to obtain the configuration register setting (which in this example is set to autoboot), disable the password-recovery capability, and then verify that the configuration persists through a system reload. The noconfirm keyword prevents a confirmation prompt from interrupting the booting process. 

Router# show version

 
Cisco Internetwork Operating System Software 

IOS (tm) 5300 Software (C7200-P-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Wed 05-Mar-03 10:16 by xxx

Image text-base: 0x60008954, data-base: 0x61964000

 
ROM: System Bootstrap, Version 12.3(8)YA, RELEASE SOFTWARE (fc1)

BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)

 
Router uptime is 10 minutes

System returned to ROM by reload at 16:28:11 UTC Thu Mar 6 2003

.

.

.

125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).

8192K bytes of Flash internal SIMM (Sector size 256K).

Configuration register is 0x2012

 
Router# configure terminal

 
Router(config)# no service password-recovery noconfirm

 
WARNING:

Executing this command will disable the password recovery mechanism.

Do not execute this command without another plan for password recovery.

Are you sure you want to continue? [yes/no]: yes

.

.

.

Router(config)# exit

Router#

Router# reload

 
Proceed with reload? [confirm] yes

 
00:01:54: %SYS-5-RELOAD: Reload requested

System Bootstrap, 12.3(8)YA...

Copyright (c) 1994-2004 by cisco Systems, Inc.

C7400 platform with 262144 Kbytes of main memory

 
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

.

.

.

The following example shows what happens when a break is confirmed and when a break is not confirmed.

Confirmed Break 

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

program load complete, entry point: 0x80013000, size: 0x8396a8

Self decompressing the image :


##########################################################################################
################################# [OK] !The 5-second window starts.


telnet> send break


              Restricted Rights Legend


Use, duplication, or disclosure by the Government is subject to restrictions as set forth 
in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR 
sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.


Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706


Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(8)YA

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Fri 13-Aug-04 03:21

Image text-base: 0x80013200, data-base: 0x81020514


PASSWORD RECOVERY IS DISABLED.

Do you want to reset the router to factory default configuration and proceed [y/n]?

!The user enters "y" here.


Reset router configuration to factory default.


This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption. Importers, exporters, distributors and users are responsible for compliance 
with U.S. and local country laws. By using this product you agree to comply with 
applicable laws and regulations. If you are unable to comply with U.S. and local laws, 
return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to export@cisco.com.


Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.

Processor board ID 0000 (1314672220), with hardware revision 0000 CPU rev number 7

3 Ethernet interfaces

4 FastEthernet interfaces

128K bytes of NVRAM

24576K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)


         --- System Configuration Dialog ---


Would you like to enter the initial configuration dialog? [yes/no]: no 

!Start up config is erased.


SETUP: new interface FastEthernet1 placed in "up" state

SETUP: new interface FastEthernet2 placed in "up" state

SETUP: new interface FastEthernet3 placed in "up" state

SETUP: new interface FastEthernet4 placed in "up" state


Press RETURN to get started!


Router> enable

Router# show startup configuration


startup-config is not present


Router# show running-config | incl service


no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption !The "no service password-recovery" is disabled.


==========================================================================================

Unconfirmed Break 

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED


telnet> send break


program load complete, entry point: 0x80013000, size: 0x8396a8

Self decompressing the image :

##########################################################################################
########################################################################## [OK]


telnet> send break


              Restricted Rights Legend


Use, duplication, or disclosure by the Government is subject to restrictions as set forth 
in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR 
sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.


Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706


Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(8)YA

Copyright (c) 1986-2004 by Cisco Systems, Inc.

Compiled Fri 13-Aug-04 03:21

Image text-base: 0x80013200, data-base: 0x81020514


PASSWORD RECOVERY IS DISABLED.

Do you want to reset the router to factory default configuration and proceed [y/n]?

!The user enters "n" here.


This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption.

Importers, exporters, distributors and users are responsible for compliance with U.S. and 
local country laws. By using this product you agree to comply with applicable laws and 
regulations. If you are unable to comply with U.S. and local laws, return this product 
immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to export@cisco.com.


Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.

Processor board ID 0000 (1314672220), with hardware revision 0000 CPU rev number 7

3 Ethernet interfaces

4 FastEthernet interfaces

128K bytes of NVRAM

24576K bytes of processor board System flash (Read/Write)

2048K bytes of processor board Web flash (Read/Write)


Press RETURN to get started! !The Cisco IOS software boots as if it is not interrupted.


Router> enable


Router# show startup configuration


Using 984 out of 131072 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service password-recovery

!

hostname Router

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

!

no aaa new-model

ip subnet-zero

!

ip ips po max-events 100

no ftp-server write-enable

!

interface Ethernet0

 no ip address

 shutdown

!

interface Ethernet1

 no ip address

 shutdown

 duplex auto

!

interface Ethernet2

 no ip address

 shutdown

!

interface FastEthernet1

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet2

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet3

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet4

 no ip address

 duplex auto

 speed auto

!

ip classless

!

ip http server

no ip http secure-server

!

control-plane

!

line con 0

 no modem enable

 transport preferred all

 transport output all

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end


Router# show running-configuration | incl service


no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service password-recovery

Configuration Register Messages Example

The no service password-recovery command expects the router configuration register to be configured to autoboot. If the configuration register is set to something other than to autoboot before the no service password-recovery command is entered, you will see a prompt like the one shown in the following example asking you to use the config-register global configuration command to change the setting. 

Router(config)# no service password-recovery

 
Please setup auto boot using config-register first.

Note To avoid any unintended result due to the behavior of this command, use the show version EXEC command to obtain the current configuration register value. If not set to autoboot, you will need to configure the router to autoboot with the config-register command before entering the no service password-recovery command.

Once password recovery is disabled, you will not be able set bit pattern 0x40, 0x8000 or set the value to 0x0 to disable autoboot. The following example shows the messages displayed when invalid configuration register settings are attempted on a router with password recovery disabled. 

Router(config)# config-register 0x2143

 
Password recovery is disabled, cannot enable diag or ignore configuration.

The command will reset the invalid bit pattern and continue to allow modification of nonrelated bit patterns. The configuration register value will be reset to 0x3 at the next system reload, which can be verified by checking the last line of the show version command output: 

Configuration register is 0x2012 (will be 0x3 at next reload)

Catalyst Switch Example

The following example shows how to disable password recovery on a switch so that a user can only reset a password by agreeing to return to the default configuration: 

Switch(config)# no service-password recovery

Switch(config)# exit

The password-recovery mechanism has been triggered, but is currently disabled. Access to 
the boot loader prompt through the password-recovery mechanism is disallowed at this 
point. However, if you agree to let the system be reset back to the default system 
configuration, access to the boot loader prompt can still be allowed.

 
Would you like to reset the system back to the default configuration (y/n)?

If you choose not to reset the system back to the default configuration, the normal boot process continues, as if the Mode button had not been pressed. If you choose to reset the system back to the default configuration, the configuration file in flash memory is deleted and the VLAN database file, flash:vlan.dat (if present), is deleted.

The following is sample output from the show version privileged EXEC command on a switch when password recovery is disabled: 

Switch# show version

 
Cisco Internetwork Operating System Software

IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2004 by cisco Systems, Inc.

Compiled Wed 24-Oct-01 06:20 by xxx

Image text-base: 0x00003000, data-base: 0x004C1864

 
ROM: Bootstrap program is C3550 boot loader

 
flam-1-6 uptime is 1 week, 6 days, 3 hours, 59 minutes

System returned to ROM by power-on

 
Cisco WS-C3550-48 (PowerPC) processor with 65526K/8192K bytes of memory.

Last reset from warm-reset

Running Layer2 Switching Only Image

 
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

 
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

 
Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces

 
Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces

 
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface

 
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

 
48 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

 
The password-recovery mechanism is disabled.

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: AA:00:0B:2B:02:00

Configuration register is 0x10F

Related Commands

Command
Description

config-register

Changes the configuration register settings.

show version

Displays version information for the hardware and firmware.


Copyright © 2005 Cisco Systems, Inc. All rights reserved.