Lost local username database after IOS downgrade

I had to downgrade one of the routers at work (a 3825) from IOS 15.1(4)M5 to a 12.4T train. After the router was reloaded and came back up, I found that it had lost the username/password database (so I was locked out of the router). After consoling into the router and changing the config register to ignore the startup config, I was able to actually look at what had happened to the config...the whole database was gone! the only username that was left was the "ip ftp password xxxx". 

Has this ever happened to anyone else? 

Thanks

Comments

  • Not sure how the user database was removed just because of the downgrade. Since the syntax is identical in the various kind of IOS, it has to retain the commands even after the downgrade. By the way, never tried with downgrade, instead we usually upgrade the IOS [;)]. Please check the syntax for both the OSes for further diagnosis.

     

     

  • Just guessing here, but some newer versions of IOS support newer hashing methods (I believe it is SHA.) If you were to downgrade the IOS to a level that doesn't support the newer hashing method, the command would be rejected by the older IOS. The hashing method is defined by a number before the actual password or hash on the configuration line: 

    username <name> <password/secret> <#> <Password> where # represents the different hashing methods (0,4,5,7).

     

    Could this explain why your usernames were removed upon reboot w/ an older IOS image?

    If you didn't save the configuration after reboot, are the usernames still visible in the startup configuration?

  • Hi Barrick,

    I think you are right! I just checked on the latest router that I have and found the result which is as follows:


    I-ENERGY(config)#username hari privilege 15 secret ?

      0     Specifies an UNENCRYPTED secret will follow

      4     Specifies a SHA256 ENCRYPTED secret will follow

      5     Specifies a MD5 ENCRYPTED secret will follow

      LINE  The UNENCRYPTED (cleartext) user secret


    If we don't set the hashing method , it will take type 4 hashing (SHA) automatically which is not taken by the older IOSes.



    I-ENERGY#sh run | sec username hari

    username hari privilege 15 secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY



    I-ENERGY#sh ver

    Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)



    Hope this helps!



  • Unfortunetly I don't think there is a way to downgrade the hash to a type 5 (what you'll need on the older IOS.) The easiest way to avoid being locked out would be to generate a type 5 on the older IOS and copy it to the router before downgrading.

  • This is exactly what happened then...I did not specify the type of hash, so it by default took 4. The version of 12.4T that I downgraded to must have not had this option. It was the latest release of 12.4 available for the 3825 12.4(24)T8.

    Good to know =)

    Luckily I had console access to the box and was able to do password recovery. I ended up switching back to the newer code after testing the specific behavior I wanted to observe on the older code. 

    Thanks you all for your help

     

  • For bonus marks, Cisco screwed up with the first release of Type 4 hashing, making it weaker than Type 5:

    http://www.theregister.co.uk/2013/03/20/cisco_introduces_weak_passwords/

Sign In or Register to comment.