Cannot Connect via SSH

JustinPruitt · ‎08-30-2010

Hi,

I have enabled ssh v2 on my router. When attempting to connect, I get an error:

Aug 30 15:42:10: SSH1: password authentication failed for justinpruitt

I can still connect via telnet, ssh just doesnt work. The router is a 3745 running 12.4(8d), RELEASE SOFTWARE (fc2). Here is a copy of my config:

aaa new-model
!
!
aaa authentication login default local-case group tacacs+ line
aaa authorization exec default local group tacacs+ none
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!

ip domain name int.chickasaw.net
!

ip ssh version 2
!

tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key *********
!

!

line vty 0 4
access-class 98 in
exec-timeout 5 0
transport input telnet ssh

Also, here is the debug from an ssh attempt:

Aug 30 15:42:04: SSH1: starting SSH control process
Aug 30 15:42:04: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Aug 30 15:42:04: SSH1: protocol version id is - SSH-2.0-PuTTY_Release_0.60
Aug 30 15:42:04: SSH2 1: send: len 280 (includes padlen 4)
Aug 30 15:42:04: SSH2 1: SSH2_MSG_KEXINIT sent
Aug 30 15:42:04: SSH2 1: ssh_receive: 512 bytes received
Aug 30 15:42:04: SSH2 1: input: packet len 616
Aug 30 15:42:04: SSH2 1: partial packet 8, need 608, maclen 0
Aug 30 15:42:04: SSH2 1: ssh_receive: 104 bytes received
Aug 30 15:42:04: SSH2 1: partial packet 8, need 608, maclen 0
Aug 30 15:42:04: SSH2 1: input: padlen 10
Aug 30 15:42:04: SSH2 1: received packet type 20
Aug 30 15:42:04: SSH2 1: SSH2_MSG_KEXINIT received
Aug 30 15:42:04: SSH2: kex: client->server aes256-cbc hmac-sha1 none
Aug 30 15:42:04: SSH2: kex: server->client aes256-cbc hmac-sha1 none
Aug 30 15:42:04: SSH2 1: expecting SSH2_MSG_KEXDH_INIT
Aug 30 15:42:04: SSH2 1: ssh_receive: 144 bytes received
Aug 30 15:42:04: SSH2 1: input: packet len 144
Aug 30 15:42:04: SSH2 1: partial packet 8, need 136, maclen 0
Aug 30 15:42:04: SSH2 1: input: padlen 6
Aug 30 15:42:04: SSH2 1: received packet type 30
Aug 30 15:42:04: SSH2 1: SSH2_MSG_KEXDH_INIT received
Aug 30 15:42:04: SSH2 1: signature length 143
Aug 30 15:42:04: SSH2 1: send: len 448 (includes padlen 7)
Aug 30 15:42:04: SSH2: kex_derive_keys complete
Aug 30 15:42:04: SSH2 1: send: len 16 (includes padlen 10)
Aug 30 15:42:04: SSH2 1: newkeys: mode 1
Aug 30 15:42:04: SSH2 1: SSH2_MSG_NEWKEYS sent
Aug 30 15:42:04: SSH2 1: waiting for SSH2_MSG_NEWKEYS
Aug 30 15:42:04: SSH2 1: ssh_receive: 16 bytes received
Aug 30 15:42:04: SSH2 1: input: packet len 16
Aug 30 15:42:04: SSH2 1: partial packet 8, need 8, maclen 0
Aug 30 15:42:04: SSH2 1: input: padlen 10
Aug 30 15:42:04: SSH2 1: newkeys: mode 0
Aug 30 15:42:04: SSH2 1: received packet type 21
Aug 30 15:42:04: SSH2 1: SSH2_MSG_NEWKEYS received
Aug 30 15:42:04: SSH2 1: ssh_receive: 88 bytes received
Aug 30 15:42:04: SSH2 1: input: packet len 16
Aug 30 15:42:04: SSH2 1: partial packet 16, need 0, maclen 20
Aug 30 15:42:04: SSH2 1: MAC #3 ok
Aug 30 15:42:04: SSH2 1: input: padlen 6
Aug 30 15:42:04: SSH2 1: received packet type 2
Aug 30 15:42:04: SSH2 1: input: packet len 32
Aug 30 15:42:04: SSH2 1: partial packet 16, need 16, maclen 20
Aug 30 15:42:04: SSH2 1: MAC #4 ok
Aug 30 15:42:04: SSH2 1: input: padlen 10
Aug 30 15:42:04: SSH2 1: received packet type 5
Aug 30 15:42:04: SSH2 1: send: len 32 (includes padlen 10)
Aug 30 15:42:04: SSH2 1: done calc MAC out #3
Aug 30 15:42:04: SSH2 1: send: len 1104 (includes padlen 15)
Aug 30 15:42:04: SSH2 1: done calc MAC out #4
Aug 30 15:42:07: SSH2 1: ssh_receive: 120 bytes received
Aug 30 15:42:07: SSH2 1: input: packet len 16
Aug 30 15:42:07: SSH2 1: partial packet 16, need 0, maclen 20
Aug 30 15:42:07: SSH2 1: MAC #5 ok
Aug 30 15:42:07: SSH2 1: input: padlen 6
Aug 30 15:42:07: SSH2 1: received packet type 2
Aug 30 15:42:07: SSH2 1: input: packet len 64
Aug 30 15:42:07: SSH2 1: partial packet 16, need 48, maclen 20
Aug 30 15:42:07: SSH2 1: MAC #6 ok
Aug 30 15:42:07: SSH2 1: input: padlen 16
Aug 30 15:42:07: SSH2 1: received packet type 50
Aug 30 15:42:07: SSH2 1: send: len 32 (includes padlen 13)
Aug 30 15:42:07: SSH2 1: done calc MAC out #5
Aug 30 15:42:10: SSH2 1: ssh_receive: 300 bytes received
Aug 30 15:42:10: SSH2 1: input: packet len 16
Aug 30 15:42:10: SSH2 1: partial packet 16, need 0, maclen 20
Aug 30 15:42:10: SSH2 1: MAC #7 ok
Aug 30 15:42:10: SSH2 1: input: padlen 6
Aug 30 15:42:10: SSH2 1: received packet type 2
Aug 30 15:42:10: SSH2 1: input: packet len 80
Aug 30 15:42:10: SSH2 1: partial packet 16, need 64, maclen 20
Aug 30 15:42:10: SSH2 1: MAC #8 ok
Aug 30 15:42:10: SSH2 1: input: padlen 15
Aug 30 15:42:10: SSH2 1: received packet type 50
Aug 30 15:42:10: SSH1: password authentication failed for justinpruitt
Aug 30 15:42:12: SSH2 1: send: len 32 (includes padlen 13)
Aug 30 15:42:12: SSH2 1: done calc MAC out #6
Aug 30 15:42:12: SSH2 1: input: packet len 144
Aug 30 15:42:12: SSH2 1: partial packet 16, need 128, maclen 20
Aug 30 15:42:12: SSH2 1: MAC #9 ok
Aug 30 15:42:12: SSH2 1: input: padlen 6
Aug 30 15:42:12: SSH2 1: received packet type 2

Any help would be greatly appreciated.

Jennifer Halim · ‎08-30-2010

The error message points towards password authentication error:

password authentication failed for justinpruitt

Base on the configuration, the authentication is via TACACS, and backup to line, however under line vty 0 4 you haven't specified any password.

Does username justinpruitt exist on TACACS? What does your TACACS logs say?

I would try configuration local username via the "username" command (please configure the same username and password as stated in your tacacs server), and also change the authentication to the following:

aaa authentication login default group tacacs+ local line

It will first try to authenticate against tacacs and when tacacs fails, it will use local database, then again if it fails, it will use line.

JustinPruitt · ‎08-31-2010

Thanks for the response! I guess my big question is why does it authenticate to TACACS+ when using telnet but it does not when using ssh? I worded the question wrong .

I have a local account and added a password to line vty 0 4. I still cannot access the router via ssh, neither by the local account nor by TACACS+. I do not even see requests/attempts on my ACS server coming from that device.

Jennifer Halim · ‎08-31-2010

Try to use a different SSH Client to test and/or try SSH version 1.

Richard Burts · ‎08-31-2010

Justin

I would suggest that if your question is really about why there are authentication problems with SSH and not with telnet that you would get much more useful output from debug aaa authentication (and perhaps debug tacacs) than what you got with debug ssh.

As I read the partial config that you posted the router will first attept to authenticate with case sensitive local user and password, followed by TACACS, followed by line (and there are some strange permutations of what works and what does not if you get to line authentication for SSH. So it would be very helpful to know from debug aaa authentication which authentication method was really being used when you get the authentication failure message.

HTH

Rick

HTH

Rick