telnet and ssh configurations

Answered Question
Jun 23rd, 2009
User Badges:
  • Bronze, 100 points or more

Hi every body!


My book shows the following configuration:


line vty 0 15

login

password cisco


=================


Book says " The 'line vty 0 15' configuration command tells the switch

that commands that follows apply to to all 16 possible concurrent virtual terminal connections to the switch,which includes telnet as well as SSH access"


My understanding is , given the above config, ssh access is not possible as ssh access requires atleast username and password be confgured . So basically the above config is only valid for telnet. But the excerpt from the book, quoted above,says ( the last line) the above config apply to both telnet and ssh.


========================================

Please consider the following config:

2) line vty 0 15

login local

transport input telnet ssh

username sarah password cisco

crypto key generate rsa


my question is if i have to telnet to this switch, will i be prompted for username and password? or i will be prompted for username and password only if i connect via ssh?


thanks a lot!


Correct Answer by Edison Ortiz about 7 years 10 months ago

Your books seems outdated, the default used to be 'all', now it's none.


http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885


HTH,


__


Edison.

Correct Answer by thotsaphon about 7 years 10 months ago

Zeeshan,

In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.


HTH,

Toshi

Correct Answer by Edison Ortiz about 7 years 10 months ago

Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.


HTH,


__


Edison.

Correct Answer by Edison Ortiz about 7 years 10 months ago

While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.


HTH,


Edit:


Current configuration : 1268 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CE2

!

boot-start-marker

boot-end-marker

!

aaa new-model

aaa authentication login default line enable

enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0

!

ip subnet-zero

ip cef

!

!

ip domain-name CISCO.COM

!


!

!

interface Loopback0

ip address 10.1.2.1 255.255.255.255

no clns route-cache

!

interface FastEthernet0/0

no ip address

duplex half

no clns route-cache

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

duplex full

speed auto

no clns route-cache

!

interface FastEthernet1/1

ip address 172.16.32.2 255.255.255.0

duplex auto

speed auto

no clns route-cache

!

router eigrp 10

passive-interface FastEthernet1/1

network 0.0.0.0

no auto-summary

!

ip classless

!

no ip http server

!

!

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password cisco

transport input ssh

!

!

end


__________________


connecting from remote router:


CE1#ssh -l sara 172.16.32.2


Password:


CE2>en

Password:

CE2#



__


Edison.

Correct Answer by davy.timmermans about 7 years 10 months ago

for the first question:

Authentication through the line password is not possible with SSH.

It will work for sure when the login/password is overriden by AAA :


aaa new-model

aaa authentication login default local xxx


instead of local could also be group radius/tacacs used.


for the second question:


yes you'll be prompted for a username and password



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Correct Answer
davy.timmermans Tue, 06/23/2009 - 11:23
User Badges:
  • Silver, 250 points or more

for the first question:

Authentication through the line password is not possible with SSH.

It will work for sure when the login/password is overriden by AAA :


aaa new-model

aaa authentication login default local xxx


instead of local could also be group radius/tacacs used.


for the second question:


yes you'll be prompted for a username and password



sarahr202 Tue, 06/23/2009 - 14:54
User Badges:
  • Bronze, 100 points or more

for the second question:


yes you'll be prompted for a username and password



Do you mean , even i when telnet, i will be prompted for user name and password ?


thanks a lot!

Correct Answer
Edison Ortiz Tue, 06/23/2009 - 12:24
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.


HTH,


Edit:


Current configuration : 1268 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CE2

!

boot-start-marker

boot-end-marker

!

aaa new-model

aaa authentication login default line enable

enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0

!

ip subnet-zero

ip cef

!

!

ip domain-name CISCO.COM

!


!

!

interface Loopback0

ip address 10.1.2.1 255.255.255.255

no clns route-cache

!

interface FastEthernet0/0

no ip address

duplex half

no clns route-cache

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

duplex full

speed auto

no clns route-cache

!

interface FastEthernet1/1

ip address 172.16.32.2 255.255.255.0

duplex auto

speed auto

no clns route-cache

!

router eigrp 10

passive-interface FastEthernet1/1

network 0.0.0.0

no auto-summary

!

ip classless

!

no ip http server

!

!

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password cisco

transport input ssh

!

!

end


__________________


connecting from remote router:


CE1#ssh -l sara 172.16.32.2


Password:


CE2>en

Password:

CE2#



__


Edison.

glen.grant Tue, 06/23/2009 - 14:06
User Badges:
  • Purple, 4500 points or more

Edison is correct it will use a normal line password if say a tacacs or radius server is unavailable , we have this all over our enterprise .

sarahr202 Wed, 06/24/2009 - 09:01
User Badges:
  • Bronze, 100 points or more

Hi Edison!

Just got one more question if you don't mind.


line vty 0 15

login local


username sarah password cisco


Will the above config require username sarah and password cisco from telnet user ?


Thanks a lot!

Correct Answer
Edison Ortiz Wed, 06/24/2009 - 09:04
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.


HTH,


__


Edison.

Correct Answer
thotsaphon Wed, 06/24/2009 - 09:15
User Badges:
  • Gold, 750 points or more

Zeeshan,

In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.


HTH,

Toshi

sarahr202 Wed, 06/24/2009 - 10:22
User Badges:
  • Bronze, 100 points or more

thanks Edison.


"Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh."


According to my book, transport input telnet is on by default. That also means only telnet connection will be allowed and telnet users will be prompted for username and passwords. To allow ssh connection, we must configure " transport input telnet ssh".


Am i correct?


thanks a lot and have a nice day!


HTH,

Edison Ortiz Fri, 06/26/2009 - 07:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sarah,


I want to correct my previous statement.


That section of the documentation needs to be updated. It does mention in the 'Usage Guidelines' that the default 'none' applies to TTY connections but there is no mention of VTY connections.


I did a little digging and it seems the VTY connections default is set to 'all' but the documentation makes no mention of it.

Actions

This Discussion