The no service password-recovery is a security enhancement that prevents anyone with physical console access to perform router configuration and change local passwords. It also prevents anyone from changing the configuration register values and access the NVRAM which stores the startup config.
This command is applicable in a highly secure environment and for our scenario wherein we don't intend to retrieve or re-use our network gear since it's located in a very remote area.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no service password-recovery
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes]: yes
Router(config)#end
Router#write memory
Building configuration...
[OK]
Router#show run | inc no service
no service pad
no service password-recovery
Disabling password recovery in a Cisco Catalyst switch use a slightly different command. You'll need to verify first if the switch is a standalone or a stacked using the show switch command.
Switch#show switch
Switch/Stack Mac Address : 3c0e.2357.1234 - Local Mac Address
Mac persistency wait time: Indefinite
H/W Current
Switch# Role Mac Address Priority Version State
------------------------------------------------------------
*1 Active 3c0e.2357.1234 1 V02 Ready
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
3850(config)#system ?
debug Debug Shell
disable Disable password recovery
environment Set the system environment settings
fnf Flexible Netflow
ignore Ignore Startup Config
mode-button Enable Mode button for reset
mtu Set the global ethernet payload size
Switch(config)#system disable ?
password Disable password recovery
Switch(config)#system disable password ?
recovery Disable password recovery
Switch(config)#system disable password recovery ?
switch Set config on switches in stack
Switch(config)#system disable password recovery switch ?
<1-9> Switch number
all Set config for all switches in stack
Switch(config)#system disable password recovery switch all
Applying config on Switch 1...[DONE]
Switch(config)#end
Switch#write memory
Building configuration...
Compressed configuration from 14004 bytes to 6042 bytes[OK]
The system disable password recovery switch command is not visible when you issue a show run.
Switch#show run | inc system
system mtu 1500
spanning-tree extend system-id
Switch#show run all | inc system disable
Switch# <BLANK>
