Disabling Password Recovery - Cisco 2950G 24 - Catalyst Switch Software Configuration Manual

Chapter 7 Administering the Switch
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users who need to have access at this level. Use the privilege
level global configuration command to specify commands accessible at various levels. For more
information, see the
If you enable password encryption, it applies to all passwords including username passwords,
authentication key passwords, the privileged command password, and console and virtual terminal line
passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level
level] global configuration command. To disable password encryption, use the no service
password-encryption global configuration command.
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Disabling Password Recovery

The default configuration for Catalyst 2950 LRE switches allows an end user with physical access to the
switch to recover from a lost password by interrupting the start process while the switch is powering up
and then by entering a new password. The password recovery disable feature for Catalyst 2950 LRE
switches allows the system administrator to protect access to the switch password by disabling part of
this functionality and allowing the user to interrupt the start process only by agreeing to set the system
back to the default configuration. With password recovery disabled, you can still interrupt the start
process and change the password, but the configuration file (config.text) and the VLAN database file
(vlan.dat) are deleted.
The password recovery disable feature is valid only on Catalyst 2950 LRE switches; it is not available
Note
for Catalyst 2950 Gigabit Ethernet switches.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file
Note
on a secure server in case the end user interrupts the start process and sets the system back to defaults.
Do not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP
transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a
secure server. When the switch is returned to the default system configuration, you can download the
saved files to the switch by using the XMODEM protocol. For more information, see the
from a Lost or Forgotten Password" section on page
78-14982-01
"Configuring Multiple Privilege Levels" section on page
Catalyst 2950 Desktop Switch Software Configuration Guide
Protecting Access to Privileged EXEC Commands
7-8.
28-6.
"Recovering
7-5