Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Network Security Little Black Book - Joe Harris.pdf
3.17 Mб


Password: Omni−Pass01


Note After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

You configure an enable secret password by entering the following command in global configuration mode:

SecureRouter#config t

Enter configuration commands, one per line. End with CNTL/Z.

SecureRouter(config)#enable secret Long@Horn10



The preceding configuration sets the enable secret password to Long@Horn10. The result of setting the enable secret password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode, as follows:


Password: Long@Horn10


Note After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

Disabling Password Recovery

The first line of defense against intruders is to set passwords on routers. Sometimes passwords are forgotten and must be recovered. There are, however, some instances in which the widely known password recovery procedures should be disabled. When physical security is not possible or in a network emergency, password recovery can be disabled.

Note Password recovery on routers and switches is outside the scope of this book. However, if you need an index of password recovery procedures for Cisco network devices, see the following Cisco Web page: http://www.cisco.com/warp/public/474.

The key to recovering a password on a Cisco router is through manipulation of the configuration registers of the router. All router passwords are stored in the startup configuration, so if the configuration registers are changed properly, the startup configuration with the passwords stored within them can be bypassed. If you have disabled the password recovery mechanisms, you will not be able to perform password recovery on the router. Disabling the password recovery procedure of a Cisco router is a decision that must be thought out ahead of time because the command used to disable password recovery also disables ROMMON.


Warning The command discussed in this section is not recommended for use on any production router and is explained here only for the benefit of learning within a lab environment.

You can disable the Cisco password recovery procedure by issuing the no service password−recovery command in global configuration mode:

SecureRouter#config t

Enter configuration commands, one per line. End with CNTR/Z. SecureRouter(config)#no service password−recovery


Executing this command will disable password recovery mechanism. Do not execute this command without another plan for

password recovery.

Are you sure you want to continue? [yes/no]: yes

As you can see, the IOS reminds you of how serious disabling the password recovery procedures are with a warning message and a prompt allowing you to change your mind. To see the results of changing the password recovery feature, issue the show running−config command. The effects of issuing the command can be seen in the following configuration:

SecureRouter#show run Building configuration...

Current configuration:


version 12.0

service password−encryption no service password−recovery


hostname SecureRouter

After password recovery has been disabled and the configuration has been saved, the widely available password recovery procedure will not be available on the router. The following output verifies that password recovery is indeed disabled:


Proceed with reload? [confirm]

00:14:34: %SYS−5−RELOAD: Reload requested

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) Copyright (c) 1999 by cisco Systems, Inc. TAC:Home:SW:IOS:Specials for info

PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0 C2600 platform with 49152 Kbytes of main memory


program load complete, entry point: 0x80008000, size: 0x928024 Self decompressing the image : #######################....

Warning The use of the command discussed in this section is not recommended for a production router. It should be used only in extreme circumstances or in a lab environment!


If the no service password−recovery command has been issued on a Cisco router and the passwords have been forgotten, you must contact your Cisco Technical Support Engineer to obtain help in gaining access into the router and enabling the password recovery process again.

Configuring Privilege Levels for Users

As mentioned earlier, the Cisco IOS software has two modes of operation. You can configure up to 16 levels of commands for each mode, which allows you to selectively assign authority on a per−user basis. Commands entered into the IOS can be associated with each privilege level. You configure the privilege level for a command using the global configuration command privilege <mode> level <level> <command>. The exact syntax of this command is as follows:

privilege mode level level command | reset command

Figure 1.1 displays three users, Cindy, Marsha, and Jan, connected to a local segment. Cindy is the network engineer; she has full control over Router A. Marsha and Jan are system administrators; they need only limited functionality on Router A. Here is an example of the configuration that meets this requirement:

enable secret Cindy

enable secret level 3 Marsha enable secret level 2 Jan privilege exec level 3 debug

privilege exec level 3 show running−config privilege exec level 3 telnet

privilege exec level 2 ping privilege exec level 2 sh int ser0 privilege exec level 2 sh ip route line con 0


Figure 1.1: Using privilege levels to create administrative levels.

This configuration provides Cindy with the default full administrative rights to the router. Marsha is given access to all features that are allowed with administrative level 3 and can perform the


commands that are listed with a privilege level of 3. Jan is assigned a privilege level of 2 and is given access to all features and allowed to perform the commands listed with a privilege level of 2. The key is that each user must use the enable <level> command from the user mode prompt and log in with the password assigned for that level. An example is provided here:


SecureRouter>enable 3

Password: Marsha


Configuring Password Encryption

It's relatively simple to configure password encryption on Cisco routers. When password encryption is configured, all passwords that are configured on the router are converted to an unsophisticated reversible cipher. Although the algorithm that is used to convert the passwords is somewhat unsophisticated, it still serves a very good purpose. Intruders cannot simply view the password in plain text and know what the password is. To enable the use of password encryption, use the command service password−encryption.

The following example shows a router configuration prior to enabling password encryption. An enable password, a console password, and a Telnet password is configured:

SecureRouter#show running−config


enable password Cisco


line con 0

password Networking


line vty 0 4 password Security


The following example shows the command you would use to enable password encryption on the router:

SecureRouter#config t

Enter configuration commands, one per line. End with CNTL/Z.

SecureRouter(config)#service password−encryption



The results of enabling password encryption can be seen in the following example. Notice that each password is now represented by a string of letters and numbers, which represents the encrypted format of the password:

SecureRouter#show running−config


enable password 7 05280F1C2243