SSH username and pass security

tgroth · ‎06-02-2003

We need to start using SSH Company wide. We have about 800 remote VPN sites that have 1710 routers with an IOS that supports SSH. I can configure SSH and it works great but the problem I have is with usernames and passwords. We already have usernames and passwords configured in each router for dial backup purposes and I don’t want these usernames and passwords to be used for the SSH login, I only want one administrator password listed for vty and console logins. We don’t want to use TACACS or RADIUS with an ASC server for these remote sites just a local username and password. Is there a way I can specify this password is just used for vtp and console ports and the other passwords are just used by the dialer interface? Any suggestions would be appreciated.

osam · ‎06-03-2003

I hope I understood your question correctly. You are basically trying to define "login" authentication locally for SSH access from different remote sites, right? And you don't want these sites to be able to use an already defined administrator password in your router. Please correct me if I am wrong!

Well, since this administrator user is already configured in the router, and you are using local authentication, I don't think it would be possible to seggregate between this specific user and the rest in terms of where to access from.

This is best ot my knowledge.

mhoda · ‎06-05-2003

Hi,

Sorry ! This is not possible. Once you define the user database on router, for any type connection, all the users in the local database would be used across the board, no way to distinct. With a AAA server, this is possible by manipulating the attributes in the profile. Thanks,

Mynul