One-time passwords on Cisco routers

One-time passwords on Cisco routers

Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.

Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.
For example, the username cisco one-time secret cisco would define the default username that can be used only for single access to the router. After the first login, the username disappears from the running configuration and thus cannot be reused.

There are, however, two caveats associated with this feature:

* If you log into the router using any other username, the one-time username remains valid (it’s not removed on the first successful login to the box, which would make more sense in the SDM context);
* The one-time username is removed only from the running configuration, if you don’t save the new configuration to the NVRAM, the username will reappear after the router reload.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s