System information
ISR Overview and Providing Secure Administrative Access 91
Aside from having a single password for all administrators, individual user accounts can be
used to give different login credentials (that is, username/password combinations) to
different administrators. Although an external user database (such as a Cisco Secure Access
Control Server [ACS]) could be used, a simple way to configure a user database is to add
the username/password combinations to a router’s configuration. Example 3-7 shows the
addition of a username and password using the username kevinw secret $up3r$3cr3t
command. The password will appear in the router’s configuration as an MD5 hash value.
If an attacker gains physical access to a router, he could connect to the router’s console port
and reboot the router. During the bootup process, the attacker could generate a break
sequence, causing the router to enter ROM monitor (ROMMON) mode. From ROMMOM
mode, the attacker could reset the router’s password and thereby gain access to the router’s
configuration.
Although the ability to perform this type of password recovery often proves useful to
administrators, if the router’s physical security cannot be guaranteed, this feature opens a
vulnerability for attackers. To mitigate this threat, an administrator can disable the
password recovery feature by issuing the no service password-recovery command in
global configuration mode. After entering this command, the administrator is cautioned not
to execute this command without another plan for password recovery, because ROMMON
will no longer be accessible.
Example 3-7 Configuring a Local User Database
R1(config)# uu
uu
ss
ss
ee
ee
rr
rr
nn
nn
aa
aa
mm
mm
ee
ee
kk
kk
ee
ee
vv
vv
ii
ii
nn
nn
ww
ww
ss
ss
ee
ee
cc
cc
rr
rr
ee
ee
tt
tt
$$
$$
uu
uu
pp
pp
33
33
rr
rr
$$
$$
33
33
cc
cc
rr
rr
33
33
tt
tt
R1(config)# ee
ee
nn
nn
dd
dd
R1# ss
ss
hh
hh
oo
oo
ww
ww
rr
rr
uu
uu
nn
nn
!
username kevinw secret 5 $1$geU5$vc/uDRS5dWiOrpQJTimBw/
!
NOTE If you already know the MD5 hash value of the password you are setting for a
user, you can enter the hash value, instead of the password, using the username
username secret 5 hash_value command. The 5 indicates that the string you are entering
for the password is the result of an MD5 hash of the password, as opposed to the plain-
text password. You could optionally indicate the plain-text password with a 0 in place of
the 5.