[j-nsp] Password Recovery

Warren Kumari warren at kumari.net
Wed Nov 30 14:33:37 EST 2005 

I once had a very paranoid customer with cisco gear who was petrified  
that someone was going to do password recovery on his gear and steal  
the config.

He ended up squirting epoxy in both the console and aux ports and  
putting more epoxy over the NVRAM and under the PC board...

The weird thing is that a: he wasn't doing anything particularly  
exciting[1], b: used Telnet and local usernames/ password and c:  
didn't have anything particularity secret (other than the local  
usernames and passwords!) like IPSec preshares or RADIUS keys or  
anything....

Warren
[1] That I know of :-)


On Nov 27, 2005, at 5:35 PM, Richard A Steenbergen wrote:

> On Mon, Nov 28, 2005 at 12:53:53PM +1300, Thomas Salmen wrote:
>>
>> Greetings all,
>>
>> Is there some way to disable the password recovery process, as  
>> detailed
>> here?
>>
>> http://juniper.cluepon.net/index.php/Password_recovery
>>
>> I want to make sure that there is no way someone with physical  
>> access to the
>> box can view or change the configuration - I'd rather the config were
>> destroyed than risk someone playing with it.
>>
>> Is this possible?
>
> The Juniper way to do this is to enable FIPS mode:
>
> http://www.juniper.net/techpubs/software/junos/junos74/swconfig74- 
> FIPS/html/FIPS-mode2.html
>
>> Local passwords are encrypted using HMAC-SHA1. Password recovery  
>> is not
>> possible in JUNOS-FIPS. JUNOS-FIPS cannot boot into single-user mode
>> without the correct root password.
>
> Of course anyone with physical access who really wants to see your  
> config
> can just pull the routing engine, yank out the CF and hard drive,  
> and load
> it up into an external machine. AFAIK there is no mechanism to  
> encrypt (or
> even obscure from casual examination, which is really the best you  
> could
> hope for) the entire config or the config filesystems.
>
> Don't forget that configs can be stored in two places, /config AND
> /altconfig, I can't tell you how many configs (complete with  
> passwords)
> I've come across this way from old routers and returned leases,  
> from folks
> like AOL, Cogent, CW, Exodus, Netrail, Teleglobe, Telocity, Verio,  
> etc. :)
>
> Besides if you were really paranoid you would rig an explosive to  
> go off
> when the RE is pulled out or something. :)
>
> -- 
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e- 
> gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA  
> F8B1 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list