One-time passwords on Cisco routers

Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.

Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.For example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. After the first login, the username disappears from the running configuration and thus cannot be reused.

There are, however, two caveats associated with this feature:

  • If you log into the router using any other username, the one-time username remains valid (it's not removed on the first successful login to the box, which would make more sense in the SDM context);
  • The one-time username is removed only from the running configuration, if you don't save the new configuration to the NVRAM, the username will reappear after the router reload.

5 comments:

  1. Actually, the first thing SDM does is ask the user to change the default credentials - so if the user does use SDM for initial/subsequent configuration, the credentials would be removed. The problem is if the customer got SDM installed on the device from manufacturing, and used some script/CLI to reconfigure the device - and never ever starts SDM - SDM never gets the chance to remove the default credentials.
    This issue was fixed by CSCse65910 - additional information can be found at http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml

    And while it is true the default credentials are removed from the running-config and not the startup-config, this isn't a problem - we can assume whoever used the credentials is going to change the configuration, and save it :)

    If they do NOT, the credentials aren't valid anymore. If the device is reloaded, agreed, credentials are still there - but you would still be using the default configuration, without any of the previously applied changes (ie: default IP addressing information, no outside connectivity). So this isn't really an issue.

    And about "if you login to the device using another combination" - how, if only the default one is available? and dissapears once used for the 1st time? And it's only going to reappear if you don't save the configuration - which hence means no additional username/password combinations created on the device?

    ReplyDelete
  2. The problem with "if you login to the device using another combination" is that you can connect to the console port (assuming it's not protected with login local, of course), configure your router from there and still leave the default password in the configuration.

    I'm not saying that the feature as implemented now is not OK, it functions as designed and it can be extremely useful ... it's just that it could be made even more secure if the one-time username would disappear when the first exec process is started (regardless of how the user got into the box).

    ReplyDelete
  3. I am using cisco 2801, this router that has the SDM files already installed on it. After i console into the router, the router asks for username and password, i entered cisco/cisco by default. Next, i configured the interface ip address, then i run command "copy run st", but i forgot to remove the default username cisco or create a new username and password.

    After that, i console into the router again, the router asks for username and password again and i enter cisco/cisco. It doesn't work.

    What should i do to solve this problem ?

    ReplyDelete
  4. Google for "password recovery 2801"

    ReplyDelete
  5. @ wisefox911

    use the Procedure password recovery:
    http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.