One-time passwords on Cisco routers
Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.
Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once. For example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. After the first login, the username disappears from the running configuration and thus cannot be reused.
There are, however, two caveats associated with this feature:
Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once. For example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. After the first login, the username disappears from the running configuration and thus cannot be reused.
There are, however, two caveats associated with this feature:
- If you log into the router using any other username, the one-time username remains valid (it's not removed on the first successful login to the box, which would make more sense in the SDM context);
- The one-time username is removed only from the running configuration, if you don't save the new configuration to the NVRAM, the username will reappear after the router reload.
This issue was fixed by CSCse65910 - additional information can be found at http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml
And while it is true the default credentials are removed from the running-config and not the startup-config, this isn't a problem - we can assume whoever used the credentials is going to change the configuration, and save it :)
If they do NOT, the credentials aren't valid anymore. If the device is reloaded, agreed, credentials are still there - but you would still be using the default configuration, without any of the previously applied changes (ie: default IP addressing information, no outside connectivity). So this isn't really an issue.
And about "if you login to the device using another combination" - how, if only the default one is available? and dissapears once used for the 1st time? And it's only going to reappear if you don't save the configuration - which hence means no additional username/password combinations created on the device?
I'm not saying that the feature as implemented now is not OK, it functions as designed and it can be extremely useful ... it's just that it could be made even more secure if the one-time username would disappear when the first exec process is started (regardless of how the user got into the box).
After that, i console into the router again, the router asks for username and password again and i enter cisco/cisco. It doesn't work.
What should i do to solve this problem ?
use the Procedure password recovery:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml