Why this username and password doesn't work (SSH)?

Answered Question
May 20th, 2009

Imagine that I have the following setup on my 2960 switch:

!

enable secret pass1

!

username magoo password pass2

!

line vty 0 4

password pass3

login

transport input ssh

!

Then I launch putty.exe and reach the 2960, I get username and password prompt OK.

I input username = magoo".

I input password "pass2" and that get a message "access is denied".

What am I missing here?

My intention is to force people to logon via ssh and get prompted to input

username = magoo and password = pass2 to access user exec mode.

I have this problem too.
0 votes
Correct Answer by John Blakley about 7 years 6 months ago

Change your login to "login local" under your line:

line vty 0 4

login local

I'm not sure if your switch supports it, as I don't have one to test, but you generally need an ssh key configured on a router (but since this is a switch, I'm not sure). You would do this by:

1.) Having a domain name configured

2.) Generating the key "crypto key generate rsa general-keys mod 1024"

See if your switch supports it because mine doesn't. (Now I need to figure out why I can't ssh into mine!) :)

HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
John Blakley Wed, 05/20/2009 - 11:34

Change your login to "login local" under your line:

line vty 0 4

login local

I'm not sure if your switch supports it, as I don't have one to test, but you generally need an ssh key configured on a router (but since this is a switch, I'm not sure). You would do this by:

1.) Having a domain name configured

2.) Generating the key "crypto key generate rsa general-keys mod 1024"

See if your switch supports it because mine doesn't. (Now I need to figure out why I can't ssh into mine!) :)

HTH,

John

news2010a Wed, 05/20/2009 - 11:59

Yes, I generated the key - OK.

I did as you said with 'login local' and it works.

Just a confirmation:

If I do 'login local' under vty 0 15, this does not block me from logging on users via AAA in the future, right?

I will read more the docs to understand this...

Richard Burts Wed, 05/20/2009 - 12:02

Marlon

The reason that it is not taking the username and password is that the vty default to authenticating with the line password that is configured. And you have not done anything to change the default behavior. John's suggestion to specify login local is certainly one way to fix it. You could also get the result that you want by configuring aaa authentication to do local authentication.

[edit] I just saw your post asking about the relationship between login local and aaa authentication. When you start aaa authentication it will over ride the login local. So you can do login local until you are ready to start aaa. When you start aaa then it will take precedence over login local.

HTH

Rick

Actions

This Discussion