[c-nsp] No Service Password Recovery
Jay Hennigan
jay at west.net
Thu Nov 18 14:15:18 EST 2010
On 11/18/10 2:28 AM, simon at pitwood.org wrote:
> It might have something to do with the version?
>
> CAT2924Switch#sh run
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
password-encryption != password-recovery
And password-encryption == password-encryption only for very small
values of encryption. This really should be called password-obfuscation
as it is trivial to reverse.
The original poster didn't specify the specific problem he was trying to
solve.
If the bad guys have unmonitored physical access to the switch they
could swap it out with their own device entirely even if the
configuration is locked down. It's not like 2924XLs are expensive or
hard to get. Mitigate with RANCID, etc.
If the concern is that the same access password on the switch which
could be recovered is used elsewhere in the OP's network and bad guys
recovering that password could use it to attack other devices...
Don't do that, then. Mitigate with unique passwords, TACACS+, etc.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the cisco-nsp
mailing list