Disable root

egeorgopoulos · ‎06-04-2010

Hello,

I would like to know how can I disable user 'root' who logs in to the router without password (cisco 800 series).

Thank you.

Giuseppe Larosa · ‎06-04-2010

Hello Egeorgopolus,

do

sh run | inc username

if you find a line like

username root

you just need to deny it with

conf t

! report the whole line here with no in front

no username root

Hope to help

Giuseppe

egeorgopoulos · ‎06-04-2010

Actually there is no root username, so this username cannot be disabled. Any other clu
es?

Thank you.

hobbe · ‎06-04-2010

Do you have any AAA statements to a tacacs or radius server that could contain the user root ?

How do you know that root is logging in ?

If there for some reason now is a user root who loggs in at the router without password

First, have you tried to login with root ?

Second, why not create the user root with an very complex password ?

would that keep them out ? atleast until you can figure out whats going on ?

HTH

egeorgopoulos · ‎06-04-2010

Yes, I tried with root user and it can log in without entering any password. The AAA is enabled, so for the time being I modified the root user to enter the system with a password.

The odd thing is that there wasn't any username 'root' in the configuration before. At least now, this user is forced to enter a password.

Thank you.

hobbe · ‎06-04-2010

If you are using AAA you can use a user database outside the router. (radius/tacacs+)

If the AAA is enabled and you are using it, the root user gets his/her credentials from the AAA server.

So if the AAA server is a linux/unix style box, (most likely since windows does not use root) then most likely there is a problem with the root user at that machine, ie that root user does not have a password. (wich can be quite bad)

a local user database would have shown the username root in the config

(to check local database just do : "sh ru | include root" the | is the pipe sign.)

HTH