SSH for Tacacs+

roger.jones · ‎09-14-2009

Hi

I have an early Version Tacacs+ - CSACS3.2-WIN-K9

we have upgraded all our cisco devices to ssh 1.5/ ssh 2 however when we renew passwords the tacacs server is not allowing password changes . way around this is to use a telent to a device that currently is not ssh login but this is not a long term solution

Does anyone know how to make tacacs+ allow password changes when we have logged into a device using ssh ?

Thanks !!

Jagdeep Gambhir · ‎09-14-2009

Password expired notification doesn't work with any version of SSH. However,

password change is supported by SSHv2. SSHv1 doesn't support the necessary

message types to initiate a password change sequence. Only the very latest

versions of IOS code on the routers/switch support SSHv2.

There are couple known bugs filed to address this issue on IOS,

CSCdy54970: Tacacs+ ACS password change with SSH

1st Found-In: 12.2M

Fixed-In:

12.1(22)EA3

12.2(18)SXE

12.2(25)S6

12.2(25)SEA

12.2(25)SEB

12.2(27.7)S

12.3(10.1)T

CSCin91851: Support keyboard-interactive authentication method

Fixed-In:

12.4(10.1)T

12.2(33)SXI

12.4(17.9)M

12.2(32.8.11)SX142

12.2(33.1.10)SXH

12.4(13f)M

12.2(33)SXH2

12.2(32.8.11)XJC153.1

12.2(32.8.1)YCA172.24

12.4(22.3.4)PIC1

Link to check the bug information

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

Regards,

~JG

Do rate helpful posts

cisco24x7 · ‎09-15-2009

JG,

You're a funny person, posting CSCdy54970 that can be accessed by internal Cisco Employees.

Some clarifications:

"Password expired notification doesn't work with any version of SSH"

This is FALSE, if I understand correctly. See below:

[root@lab-firemon ~]# ssh -l test 172.20.20.20

Password:

Your password will expire in 1 more logins

c2811>sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Fri 19-Jun-09 15:13 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

c2811 uptime is 3 weeks, 5 days, 3 hours, 36 minutes

System returned to ROM by reload at 17:24:56 UTC Thu Aug 20 2009

System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T1.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 2811 (revision 53.51) with 512000K/12288K bytes of memory.

Processor board ID FTX1152A3RZ

2 FastEthernet interfaces

1 Serial interface

2 Virtual Private Network (VPN) Modules

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

250880K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

c2811>

Can you post the content of that bug ID CSCdy54970 report here?

A follow-up question: Do you know if password change via ssh work with s72033-entservicesk9_wan-mz.122-18.SXF14.bin?

Thanks in advance.