Monday, October 20, 2014

Cisco Switch/Router/ASA: "Exec-timeout 0 0"

What is the security implications of the following on a Cisco device:

line vty 0 4
 exec-timeout 0 0
 login local
 transport input ssh

First, here is what Cisco's documentation says about the exec-timeout command (I gathered the important information (to me)):

To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command.
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
To specify no timeout, enter the exec-timeout 0 0 command.

Seems like "0 0" might not be a good idea, especially for console access, which I did get in on recently into a core switch without having to login.  Just be aware of the security implications of the configs you do.

line con 0
 exec-timeout 0 0
 login local
Posted by

2 comments:

  1. Brad MooreOctober 20, 2014 at 4:20 PM

    Great note...especially about Console access. That could be a really bad "gotcha" for network equipment that may not have proper physical access control in place.

    ReplyDelete
  2. ShaneOctober 20, 2014 at 5:03 PM

    :) got me in enable mode when I needed it and didn't have the passwords.

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)