Downloads |
 Feedback
|
Table Of Contents
Prerequisites for No Service Password-Recovery
Information About No Service Password-Recovery
Cisco Password Recovery Procedure
Configuration Registers and System Boot Configuration
How to Enable No Service Password-Recovery
Verifying the Upgraded ROMMON Version
Enabling No Service Password-Recovery
Recovering a Device from the No Service Password-Recovery Feature
Configuration Examples for No Service Password-Recovery
Disabling Password Recovery: Example
Feature Information for No Service Password-Recovery
No Service Password-Recovery
First Published: August 27, 2004Last Updated: March 1, 2010The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for No Service Password-Recovery" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Prerequisites for No Service Password-Recovery
•
•
•
•
Prerequisites for No Service Password-Recovery
You must download and install ROM monitor (ROMMON) version 12.2(11)YV1 before you can use this feature.
Information About No Service Password-Recovery
To configure the No Service Password-Recovery feature, you should understand the following concepts:
•
•
Cisco Password Recovery Procedure
The Cisco IOS software provides a password recovery procedure that relies upon gaining access to ROMMON mode using the Break key during system startup. When the router software is loaded from ROMMON mode, the configuration is updated with the new password.
The password recovery procedure enables anyone with console access, the ability to access the router and its network. The No Service Password-Recovery feature prevents the completion of the Break key sequence and the entering of ROMMON mode during system startups and reloads.
Configuration Registers and System Boot Configuration
The lowest four bits of the configuration register (bits 3, 2, 1, and 0) form the boot field. The boot field determines if the router boots manually from ROM or automatically from flash or the network. For example, when the configuration register boot field value is set to any value from 0x2 to 0xF, the router uses the boot field value to form a default boot filename for autobooting from a network server.
Bit 6, when set, ignores the startup configuration, while bit 8 enables a break. To use the No Security Password Recovery feature, you must set the configuration register to autoboot before it can be enabled. Any other configuration register setting will prevent the feature from being enabled.
Note
How to Enable No Service Password-Recovery
This section contains the following procedures:
•
•
•
•
Upgrading the ROMMON Version
If your router or access server does not find a valid system image to load, the system will enter ROMMON mode. ROMMON mode can also be accessed by interrupting the boot sequence during startup.
Another method for entering ROMMON mode is to set the configuration register so that the router automatically enters ROMMON mode when it boots. For information about setting the configuration register value, refer to the Cisco IOS Configuration Fundamentals Configuration Guide and Cisco IOS Network Management Configuration Guide.
Perform this task to upgrade your version of ROMMON.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Verifying the Upgraded ROMMON Version
To verify that you have an upgraded version of ROMMON, use the show version command:
Router# show versionCisco IOS Software, C828 Software (C828-K9OS&6-M), Version 12.3 (20040702:094716)[userid 168]Copyright (c) 1986-2004 by Cisco Systems, Inc.ROM: System Bootstrap, Version 12.2(11)YV1, Release Software (fc1)Router uptime is 22 minutesSystem returned to ROM by reload...Enabling No Service Password-Recovery
Perform this task to enable the No Service Password-Recovery feature.
Note
If you plan to enter the no service password-recovery command, Cisco recommends that you save a copy of the system configuration file in a location away from the switch or router. If you are using a switch that is operating in VLAN Trunking Protocol (VTP) transparent mode, Cisco recommends that you also save a copy of the vlan.dat file in a location away from the switch.
Prerequisites
Always disable the feature before downgrading to an image that does not support this feature, because you cannot reset after the downgrade.
The configuration register boot bit must be enabled so that there is no way to break into ROMMON when this command is configured. Cisco IOS software should prevent the user from configuring the boot field in the config register.
Bit 6, which ignores the startup configuration, and bit 8, which enables a break, should be set.
The Break key should be disabled while the router is booting up and disabled in Cisco IOS software when this feature is enabled.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Recovering a Device from the No Service Password-Recovery Feature
To recover a device once the No Service Password-Recovery feature has been enabled, press the Break key just after the `Compiled <date> by' message appears during the boot. You are prompted to confirm the Break key action. When you confirm the action, the startup configuration is erased, the password-recovery procedure is enabled, and the router boots with the factory default configuration.
If you do not confirm the Break key action, the router boots normally with the No Service Password-Recovery feature enabled.
Examples
This section provides the following examples of the process:
Confirmed Break
PASSWORD RECOVERY FUNCTIONALITY IS DISABLEDprogram load complete, entry point: 0x80013000, size: 0x8396a8Self decompressing the image : ############################################################################################################################################ [OK]telnet> send breaktelnet> send breaktelnet> send breakRestricted Rights LegendUse, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IPBASE-M), Version 12.3(26), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2008 by cisco Systems, Inc.Compiled Mon 17-Mar-08 15:24 by dchihPASSWORD RECOVERY IS DISABLED.Do you want to reset the router to factory default configuration and proceed [y/n] ?Reset router configuration to factory default.This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email to export@cisco.com.Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.Processor board ID 0000 (1314672220), with hardware revision 0000 CPU rev number 73 Ethernet interfaces4 FastEthernet interfaces128K bytes of NVRAM.24576K bytes of processor board System flash (Read/Write)2048K bytes of processor board Web flash (Read/Write)--- System Configuration Dialog ---Would you like to enter the initial configuration dialog? [yes/no]: no!Start up configuration is erased.SETUP: new interface FastEthernet1 placed in "up" stateSETUP: new interface FastEthernet2 placed in "up" stateSETUP: new interface FastEthernet3 placed in "up" stateSETUP: new interface FastEthernet4 placed in "up" statePress RETURN to get started!Router>Router> enableRouter# show startup configurationstartup-config is not presentRouter# show running-config | incl serviceno service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!The "no service password-recovery" is disabled.Unconfirmed Break
PASSWORD RECOVERY FUNCTIONALITY IS DISABLEDtelnet> send breakprogram load complete, entry point: 0x80013000, size: 0x8396a8Self decompressing the image : ##################################################################################### [OK]telnet> send breaktelnet> send breakRestricted Rights LegendUse, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IPBASE-M), Version 12.3(26), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2008 by cisco Systems, Inc.Compiled Mon 17-Mar-08 15:24 by dchihPASSWORD RECOVERY IS DISABLED.Do you want to reset the router to factory default configuration and proceed [y/n] ?PASSWORD RECOVERY IS DISABLED.Do you want to reset the router to factory default configuration and proceed [y/n] ?!The user enters "N" here.This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email to export@cisco.com.Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.Processor board ID 0000 (1314672220), with hardware revision 0000CPU rev number 73 Ethernet interfaces4 FastEthernet interfaces128K bytes of NVRAM.24576K bytes of processor board System flash (Read/Write)2048K bytes of processor board Web flash (Read/Write)Press RETURN to get started!!The Cisco IOS software boots as if it is not interrupted.Router> enableRouter#Router# show startup configUsing 984 out of 131072 bytes!version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionno service password-recovery!hostname Router!boot-start-markerboot-end-marker!memory-size iomem 5!no aaa new-modelip subnet-zero!ip ips po max-events 100no ftp-server write-enable!interface Ethernet0no ip addressshutdown!interface Ethernet1no ip addressshutdownduplex auto!interface Ethernet2no ip addressshutdown!interface FastEthernet1no ip addressduplex autospeed auto!interface FastEthernet2no ip addressduplex autospeed auto!interface FastEthernet3no ip addressduplex autospeed auto!interface FastEthernet4no ip addressduplex autospeed auto!ip classless!ip http serverno ip http secure-server!control-plane!line con 0no modem enabletransport preferred alltransport output allline aux 0line vty 0 4!scheduler max-task-time 5000endRouter# show running-config | incl serviceno service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionno service password-recoveryendConfiguration Examples for No Service Password-Recovery
This section provides the following configuration example:
•
Disabling Password Recovery: Example
The following example shows how to obtain the configuration register setting (which is set to autoboot), disable password recovery capability, and then verify that the configuration persists through a system reload:
Router# show versionCisco Internetwork Operating System SoftwareIOS (tm) 5300 Software (C7200-P-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2004 by Cisco Systems, Inc.Compiled Wed 05-Mar-04 10:16 by xxxImage text-base: 0x60008954, data-base: 0x61964000ROM: System Bootstrap, Version 12.3(8)YA, RELEASE SOFTWARE (fc1)...125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).8192K bytes of Flash internal SIMM (Sector size 256K).Configuration register is 0x2102Router# configure terminalRouter(config)# no service password-recoveryWARNING:Executing this command will disable the password recovery mechanism.Do not execute this command without another plan for password recovery.Are you sure you want to continue? [yes/no]: yes...Router(config)# exitRouter#Router# reloadProceed with reload? [confirm] yes00:01:54: %SYS-5-RELOAD: Reload requestedSystem Bootstrap, Version 12.3...Copyright (c) 1994-2004 by cisco Systems, Inc.C7400 platform with 262144 Kbytes of main memoryPASSWORD RECOVERY FUNCTIONALITY IS DISABLED...Additional References
The following sections provide references related to the No Service Password-Recovery feature.
Related Documents
Setting, changing, and recovering lost passwords
"Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices" feature module
Loading system images and rebooting
"Using the Cisco IOS Integrated File System" feature module
Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
Cisco IOS commands
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for No Service Password-Recovery
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2004-2010 Cisco Systems, Inc. All rights reserved.
