3-3. Passwords and Password Recovery
Configuration of Passwords
NOTE On a COS device, both passwords are encrypted. For the IOS machine, only the secret, privileged password is encrypted by default. Feature ExampleThis example shows a typical configuration for setting the user and privileged passwords for COS and IOS switches. An example of the Catalyst OS configuration follows: Console (enable)> Console (enable)>set enablepass Enter old password: oldenablepass Enter new password: san-fran Retype new password: san-fran Password changed Console (enable)> set password Enter old password: oldpass Enter new password: cisco Retype new password: cisco Password changed Console (enable)> An example of the Supervisor IOS configuration follows: Switch(config)#enable secret san-fran Switch(config)#line vty 0 4 Switch(config-line)#password cisco Switch(config-line)#line con 0 Switch(config-line)#login Switch(config-line)#password cisco Switch(config-line)#end Switch1#copy running-config startup-config Password Recovery on a COS DeviceIf you have lost or forgotten your passwords, you can use the COS password-recovery process to gain access to the device. The COS procedure is among the easiest of all the recovery procedures. For the initial 30 or so seconds after the switch CLI becomes available, all passwords are null, so users only need to press Enter when prompted for a password (including prompts during password management). The following steps outline the procedure:
At this point, you have set all the passwords back to the default (which is null). Because timing is critical for Steps 2 through 5, it is best to set the passwords to null and then go back and change the passwords to the desired setting using the set password and set enablepass commands again after Step 5. TIP Because you have a limited time to complete this process, it is helpful to create a text file with the commands and carriage returns needed to complete the process. Then when you get the prompt to log in, you can paste in the text file to complete the password-recovery process. Feature ExampleThis example shows a typical password-recovery process for a COS switch: System Bootstrap, Version 5.3(1) Copyright (c) 1994-1999 by Cisco Systems, Inc. c6k_sup1 processor with 65536 Kbytes of main memory Autoboot executing command: "boot bootflash:cat6000-sup9k.6-1-1c.bin" Uncompressing file: ##################################################### ######################################################################### ######################################################################### System Power On Diagnostics DRAM Size ....................64 MB Testing DRAM..................Passed Verifying Text segment .......Passed NVRAM Size ...................512 KB Saving NVRAM .................Done Testing NVRAM ................Passed Restoring NVRAM ..............Done Level2 Cache .................Present Testing Level2 Cache .........Passed System Power On Diagnostics Complete Boot image: bootflash:cat6000-sup9k.6.1.1(c).bin Running System Diagnostics from this Supervisor (Module 1) This may take up to 2 minutes....please wait Cisco Systems Console Enter password: (press Enter) 2000 Jan 09 23:09:27 %SYS-1-SYS_NORMPWRMGMT:System in normal power management operation 2000 Jan 09 23:09:27 %SYS-5-MOD_PWRON:Module 3 powered up 2000 Jan 09 23:09:34 %SYS-5-MOD_OK:Module 1 is online Console> enable Enter password: (press Enter) Console> (enable) set password Enter old password: (press Enter) Enter new password: (press Enter) Retype new password: (press Enter) Password changed. Console> (enable) set enablepass Enter old password: (press Enter) Enter new password: (press Enter) Retype new password: (press Enter) Password changed. Console> (enable) Console> (enable) set password Enter old password: (press Enter) Enter new password: (type your new password) Retype new password: (type your new password) Password changed. Console> (enable) set enablepass Enter old password: (press Enter) Enter new password: (type your new password) Retype new password: (type your new password) Password changed. Password Recovery on IOS Devices: Procedure 1Password-recovery procedure 1 covers the 2900/3500XL, 2950, and 3550. If you have lost or forgotten your passwords, or if you want to bypass the configuration file, you can use this recovery process to gain access to the device. To recover from a lost IOS password, you have to stop the boot process and then direct the IOS switch to not use the configuration file. When the switch loads without a file, you have no passwords and can enter into privileged mode. From there, you can copy the configuration file into active memory and then change and save the passwords. To complete the recovery process, follow these steps:
Feature ExampleThis example shows a typical password-recovery procedure 1 for IOS switches. The system has been interrupted prior to initializing the Flash file system. The following commands initialize the Flash file system and finish loading the operating system software: flash_init load_helper boot flash_init load_helper dir flash: Directory of flash: 2 -rwx 843947 Mar 01 1993 00:02:18 C2900XL-ms-12.2.8.bin 4 drwx 3776 Mar 01 1993 01:23:24 html 66 -rwx 130 Jan 01 1970 00:01:19 env_vars 68 -rwx 1296 Mar 01 1993 06:55:51 config.text 1728000 bytes total (456704 bytes free) rename flash:config.text flash:config.old boot Continue with the configuration dialog? [yes/no] : N Switch>enable Switch#rename flash:config.old flash:config.text Switch# copy flash:config.text system:running-config Switch#configure terminal Switch(config)#enable secret newpassword Switch(config)#line vty 0 4 Switch(config-line)#password newpassword Switch(config)#line con 0 Switch(config-line)#password newpassword Switch#(config-line)#end Switch#copy running-config startup-config Password Recovery on IOS Devices: Procedure 2Password-recovery procedure 2 covers the 6000 series switch running IOS. If you have lost or forgotten your passwords, or if you want to bypass the configuration file, you can use this recovery process. To recover from a lost IOS password, you must stop the boot process of the route processor and then direct the IOS switch to not use the configuration file. When the switch loads without a file, you have no passwords and can enter into privileged mode. From there you can copy the configuration file into active memory and then change and save the passwords. To complete the recovery process, follow these steps:
Feature ExampleThis example shows a typical password-recovery procedure 2 for IOS switches: %OIR-6-CONSOLE: Changing console ownership to route processor issue break rommon1>confreg 0x2142 rommon2>reset <switch output omitted> Continue with the configuration dialog? [yes/no] : N Router>enable Router# copy startup-config running-config Router#configure terminal Router(config)#enable secret newpassword Router(config)#line vty 0 4 Router(config-line)#password newpassword Router(config)#line con 0 Router(config-line)#password newpassword Router#config-register 0x2102 Router#(config-line)#end Router#copy running-config startup-config |