To enable password recovery capability, use the
service password-recovery command in global configuration mode. To disable password recovery capability, use the
no service password-recovery [strict] command.
service password-recovery
no service password-recovery[strict]
Syntax Description
[strict]
|
(Optional) Restricts device recovery.
|
Command Default
Password recovery capability is enabled.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)YA
|
This command was introduced.
|
12.3(14)T
|
This command was integrated into Cisco IOS Release 12.3(14)T.
|
15.1(1)SY
|
This command was integrated into Cisco IOS Release 15.1(1)SY.
|
Cisco IOS XE Release 3.10S
|
This command was integrated into Cisco IOS XE Release 3.10S. The
strict keyword was added to the no form of this command.
|
Usage Guidelines
Note
|
This command is not available on all platforms. Use Feature Navigator to ensure that it is available on your platform.
|
If you plan to disable the password recovery capability with the
no service password-recovery command, we recommend that you save a copy of the system configuration file in a location away from the device. If you are
using a device that is operating in VTP transparent mode, we recommend that you also save a copy of the vlan.dat file in a
location away from the device.
Caution
|
Entering the no
service password-recovery command at the command line disables password recovery. Always disable this command before downgrading to an image that does
not support password recovery capability, because you cannot recover the password after the downgrade.
|
The configuration register boot bit must be enabled so that there is no way to break into ROMMON when this command is configured.
Cisco IOS software should prevent the user from configuring the boot field in the config register.
Bit 6, which ignores the startup configuration, and bit 8, which enables a break should be set.
The Break key should be disabled while the router is booting up and disabled in Cisco IOS software when this feature is enabled.
It may be necessary to use the
config-register global configuration command to set the configuration register to autoboot
before entering the
no service password-recovery command. The last line of the
show version EXEC command displays the configuration register setting. Use the
show version EXEC command to obtain the current configuration register value, configure the router to autoboot with the
config-register command if necessary, then enter the
no service password-recovery command.
Once disabled, the following configuration register values are
invalid for the
no service password-recovery command:
The no service password-recoverystrict command does not allow device recovery and prevents the send break command, which is used to recover a device from the no service password-recovery feature, from having any effect during bootup.
The strict keyword is supported on the Cisco ASR 1000 Series platform, effective from Cisco IOS XE Release 3.10.
Note
|
Since the strict keyword makes the router unrecoverable, before you use the keyword, ensure that you configure the password and configuration
register, set up the autoboot image, save the configuration and reboot the router. Only if the correct image is autobooted
and the enable password works, should you add the no service password-recovery strict command to the configuration. If the enable password is lost, the router should be shipped back to the Cisco support center
to fix it.
|
Catalyst Switch Operation
Use the
service password-recovery command to reenable the password-recovery mechanism (the default). This mechanism allows a user with physical access to the
switch to hold down the
Mode button and interrupt the boot process while the switch is powering up and to assign a new password. Use the
no form of this command to disable the password-recovery capability.
When the password-recovery mechanism is disabled, interrupting the boot process is allowed only if the user agrees to set
the system back to the default configuration. Use the
show version EXEC command to verify if password recovery is enabled or disabled on a switch.
The
service password-recovery command is valid only on Catalyst 3550 Fast Ethernet switches; it is not available for Gigabit Ethernet switches.
Examples
The following example shows how to obtain the configuration register setting (which in this example is set to autoboot),
disable the password-recovery capability, and then verify that the configuration persists through a system reload. The
noconfirm keyword prevents a confirmation prompt from interrupting the booting process.
Router# show version
Cisco Internetwork Operating System Software
IOS (tm) 5300 Software (C7200-P-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Wed 05-Mar-03 10:16 by xxx
Image text-base: 0x60008954, data-base: 0x61964000
ROM: System Bootstrap, Version 12.3(8)YA, RELEASE SOFTWARE (fc1)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)
Router uptime is 10 minutes
System returned to ROM by reload at 16:28:11 UTC Thu Mar 6 2003
.
.
.
125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2012
Router# configure terminal
Router(config)# no service password-recovery noconfirm
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]: yes
.
.
.
Router(config)# exit
Router#
Router# reload
Proceed with reload? [confirm] yes
00:01:54: %SYS-5-RELOAD: Reload requested
System Bootstrap, 12.3(8)YA...
Copyright (c) 1994-2004 by cisco Systems, Inc.
C7400 platform with 262144 Kbytes of main memory
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
.
.
.
The following example shows what happens when a break is confirmed and when a break is not confirmed.
Examples
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80013000, size: 0x8396a8
Self decompressing the image :
########################################################################################################################### [OK] !The 5-second window starts.
telnet> send break
Restricted Rights Legend
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(8)YA
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Fri 13-Aug-04 03:21
Image text-base: 0x80013200, data-base: 0x81020514
PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default configuration and proceed [y/n]?
!The user enters "y" here.
Reset router configuration to factory default.
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.
Processor board ID 0000 (1314672220), with hardware revision 0000 CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM
24576K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]: no
!Start up config is erased.
SETUP: new interface FastEthernet1 placed in "up" state
SETUP: new interface FastEthernet2 placed in "up" state
SETUP: new interface FastEthernet3 placed in "up" state
SETUP: new interface FastEthernet4 placed in "up" state
Press RETURN to get started!
Router> enable
Router# show startup configuration
startup-config is not present
Router# show running-config | incl service
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption !The "no service password-recovery" is disabled.
==========================================================================================
Examples
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
telnet> send break
program load complete, entry point: 0x80013000, size: 0x8396a8
Self decompressing the image :
#################################################################################################################################################################### [OK]
telnet> send break
Restricted Rights Legend
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C831 Software (C831-K9O3SY6-M), Version 12.3(8)YA
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Fri 13-Aug-04 03:21
Image text-base: 0x80013200, data-base: 0x81020514
PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default configuration and proceed [y/n]?
!The user enters "n" here.
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
Cisco C831 (MPC857DSL) processor (revision 0x00) with 46695K/2457K bytes of memory.
Processor board ID 0000 (1314672220), with hardware revision 0000 CPU rev number 7
3 Ethernet interfaces
4 FastEthernet interfaces
128K bytes of NVRAM
24576K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)
Press RETURN to get started! !The Cisco IOS software boots as if it is not interrupted.
Router> enable
Router# show startup configuration
Using 984 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname Router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
!
no aaa new-model
ip subnet-zero
!
ip ips po max-events 100
no ftp-server write-enable
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet1
no ip address
shutdown
duplex auto
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
Router# show running-configuration | incl service
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
Examples
The
no service password-recovery command expects the router configuration register to be configured to autoboot. If the configuration register is set to something
other than to autoboot
before the
no service password-recovery command is entered, a prompt like the one shown in the following example asking you to use the
config-register global configuration command to change the setting.
Router(config)# no service password-recovery
Please setup auto boot using config-register first.
Note
|
To avoid any unintended result due to the behavior of this command, use the
show version command to obtain the current configuration register value. If not set to autoboot, then the router needs to be configured
to autoboot with the
config-register command before entering the
no service password-recovery command.
|
Once password recovery is disabled, you cannot set the bit pattern value to 0x40, 0x8000, or 0x0 (disables autoboot). The
following example shows the messages displayed when invalid configuration register settings are attempted on a router with
password recovery disabled.
Router(config)# config-register 0x2143
Password recovery is disabled, cannot enable diag or ignore configuration.
The command resets the invalid bit pattern and continue to allow modification of nonrelated bit patterns. The configuration
register value resets to 0x3 at the next system reload, which can be verified by checking the last line of the
show version command output:
Configuration register is 0x2012 (will be 0x3 at next reload)
Examples
The following example shows how to disable password recovery on a switch so that a user can only reset a password by agreeing
to return to the default configuration:
Switch(config)# no service-password recovery
Switch(config)# exit
To use the password-recovery procedure, a user with physical access to the switch holds down the
Mode button while the unit powers up and for a second or two after the LED above port 1X goes off. When the button is released,
the system continues with initialization. If the password-recovery mechanism is disabled, the following message is displayed:
The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed.
Would you like to reset the system back to the default configuration (y/n)?
If you choose not to reset the system back to the default configuration, the normal boot process continues, as if the
Mode button had not been pressed. If you choose to reset the system back to the default configuration, the configuration file
in flash memory is deleted and the VLAN database file, flash:vlan.dat (if present), is deleted.
The following is sample output from the
show version command on a device when password recovery is disabled:
Switch# show version
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Wed 24-Oct-01 06:20 by xxx
Image text-base: 0x00003000, data-base: 0x004C1864
ROM: Bootstrap program is C3550 boot loader
flam-1-6 uptime is 1 week, 6 days, 3 hours, 59 minutes
System returned to ROM by power-on
Cisco WS-C3550-48 (PowerPC) processor with 65526K/8192K bytes of memory.
Last reset from warm-reset
Running Layer2 Switching Only Image
Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface
48 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
The password-recovery mechanism is disabled.
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: AA:00:0B:2B:02:00
Configuration register is 0x10F
Disabling Password Recovery Example
The following example shows how to disable password recovery capability using the no service password-recovery strict command:
Router# configure terminal
Router(config)# no service password-recovery strict
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes]: yes
.
.