Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1824
Views
20
Helpful
6
Replies

no service password-recovery

johnlloyd_13
Level 9
Level 9

‎01-30-2019 05:17 AM - edited ‎01-30-2019 05:21 AM

hi,

was asked to use this command and it's my first time using it.

my question, can i still issue a 'write erase' remotely and the 'no service password-recovery' will remain intact?

the router is in a remote area so there's a possibility we might not get it back. so was asked to wipe it out and at the same time ensure other people (who's not very cisco savvy) won't be able to re-use them.

 

R1(config)#no service password-recovery

Password recovery disable mode is not supported by the current ROMMON.

Please upgrade the ROMMON if you want to use this feature.

 

i tested this on GNS3 and got an error to upgrade ROMMON. will i get the same error on 'real' cisco router (it's a 3945) and require to upgrade ROMMON software?

Labels:
0 Helpful
6 Replies 6

Mark Malone
VIP Alumni
VIP Alumni

‎01-30-2019 05:50 AM

as its 3900 you get them to send you the flash card rather than the whole router then wipe it remotely it will be factory then without any config
you may need to upload

if you have to go through with the no service password , whast the current show version show as the rom available


Prerequisites for No Service Password-Recovery

You must download and install ROM monitor (ROMMON) version 12.2(11)YV1 before you can use this feature.


Feature Name


Releases


Feature Information
No Service Password-Recovery
12.3(8)YA
12.3(14)T
15.1(1)SY
Cisco IOS XE Release 3.10

The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.

This feature was introduced in Cisco IOS Release 12.3(8)YA.

This feature was integrated into Cisco IOS Release 12.3(14)T.

This feature was integrated into Cisco IOS Release 15.1(1)SY.

The following command was introduced: service password-recovery.

This feature was integrated into Cisco IOS XE Release 3.10 for Cisco ASR 1000 Series Aggregation Services Routers.

The following command was modified: service password-recovery. The strict keyword was added to the no form of this command.

johnlloyd_13
Level 9
Level 9
In response to Mark Malone

‎01-30-2019 06:12 AM - edited ‎01-30-2019 06:13 AM

hi,

like i said it's a very remote site and getting or sending anything back is just a small probability.

my question wasn't answered, can i still remotely issue a 'write erase' and the 'no service password-recover' would still be there?

i got this from the 'show version' does this mean i wouldn't be able to use the said command (minimum would be 15.1(1)SY)?

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to johnlloyd_13

‎01-30-2019 06:25 AM

ok so first doing this is not fully secure and config could possibly still be restored from startup through console

the command itself should work with that ROM version and when its reloaded should show ...PASSWORD RECOVERY FUNCTIONALITY IS DISABLED in show version

my question wasn't answered, can i still remotely issue a 'write erase' and the 'no service password-recover' would still be there?
Most likely no because you set the command and wiped the config and its disabled as default in cli which it will return back to after reboot, is it possible to get someone locally to console in , then RDP to there PC or screenshare somehow wipe everything over there PC through console , vlan files running config startup config etc , then take out the external flash snap the external flash card to be sure if it cant be sent back , the router will be totally wiped then and no flash to load anything onto

Georg Pauwen
VIP
VIP

‎01-30-2019 07:22 AM

Hello,

 

on a side note, 'no service password-recovery' is NOT the default, so when you disable this service and do a 'wr erase', the startup configuration will be erased, and upon reboot, the defaults will apply, which in this case means 'service password-recovery' will be enabed...

pieterh
VIP
VIP
In response to Georg Pauwen

‎01-30-2019 07:55 AM

first a warning,

the 'no service password-recovery' does not render the device useless

the password recovery enabled setting allows you to restart the device and load the config , while bypassing the knowledge of the login and enable password

 

with 'no service password-recovery', during the recovery process the config will be erased, but the normal ios will still be loaded.

you'll need to erase the flash too, so the device cannot boot into ios

 

of course the ios can be loaded again to flash, but that needs a little more cisco knowledge.

 

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-30-2019 09:52 PM

@johnlloyd_13 wrote:

will i get the same error on 'real' cisco router (it's a 3945) and require to upgrade ROMMON software?

People like to use this command BEFORE they dispose of equipment.  I don't understand the reason nor the logic behind it.  

I have helped other people remove this config or perform factory reset even with this command is used.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card