ssh autheication problem

gmaccisco1 · ‎12-12-2006

Hi, I have reconfigure my Cisco 3825 for ssh after we lost the config sue to a power faliure. I have reconfigure the same way it was configured before and working properly.

now, when I try to access the router using Putty ssh, I get to the authentication screen but after entering uername and password (enable secrete and line password the same) i get access denied.

Below is the ssh and line configuration on the router. I have seen the pdf that has been recommended here at Netpro and have followed that document but still having problem:

no ip bootp server

ip domain lookup source-interface Serial0/0/0.1

ip domain name gmac

ip name-server 198.6.1.5

ip ssh maxstartups 5

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh source-interface GigabitEthernet0/0

ip ssh logging events

voice-card 0

no dspfarm

crypto pki trustpoint border-p.gmac

revocation-check crl

!

crypto pki trustpoint TP-self-signed-1590450227

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1590450227

revocation-check none

rsakeypair TP-self-signed-1590450227

border-p#show cry key mypubkey rsa

% Key pair was generated at: 23:41:15 UTC Dec 12 2006

Key name: border-p.gmac

Usage: General Purpose Key

Key is not exportable.

Key Data:

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E81AB7

CB1E6A0E 4E0B0511 60518967 B5051E0F 671781B3 87A76647 D85D3BE5 A49D6A49

A38A4CE1 D0551A1E 8CD503B2 000A58E4 9CB82B99 9FC0D97D 34400B6C BDD26DB4

403978BC 91AE97AC 935F2B3D 9784A13D FBD3F346 D0C3E602 4726AE4D 9C67C628

7D97B85D F620DCED 55B9FEDD F1F23160 3D7AF90D 5E226CBB 073D98C3 51020301 0001

% Key pair was generated at: 23:41:15 UTC Dec 12 2006

Key name: border-p.gmac.server

Usage: Encryption Key

Key is not exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C4B5D5 3AD95B74

C71341E1 F92425D0 E34B3BCA 81F6D67B C9D112C5 9893A93F DA9763BD 01F097CF

9F6DFB70 F2449976 BBBA98F8 96F72082 EDA5E33F 9685997B FE77E9C3 71F2E3BF

D2543E10 611D9907 8D7CD273 48AB04B3 761EDBBB 770D7FA2 FD020301 0001

border-p#

line con 0

password 7 094B471F1C081247050313

login

stopbits 1

line aux 0

password 7 02010D4D0E0B0A7442411E

login

stopbits 1

line vty 0 3

privilege level 15

password 7 14101B1D09092F7E2A2724

login

transport input telnet ssh

line vty 4

privilege level 15

password 7 1515021A01272E71263C22

login

transport input telnet ssh

please advise,

Masood

mark.edwards · ‎12-13-2006

Hi, bit of a longshot really but sometime ago I configured IPSec with CA Server. This required RSA keys on the router and one thing I remember was that the router clock had to be set correctly or the RSA key would not be active. Can you confirm the clock is set correctly and the RSA key is active?

gmaccisco1 · ‎12-13-2006

thanks for your response. the clock is synched with an ntp server and correct. the rsa is active too. i am puzzled!

Masood

royalblues · ‎12-14-2006

Try recreating your RSA key and test the login

Narayan

Richard Burts · ‎12-14-2006

Masood

While I frequently share the approach that Narayan is suggesting to recreate the RSA key (most especially if there was some event that lost the config it is fairly likely to have impacted the RSA keys) the output that you posted seems to indicate that the keys were generated on Dec 12 which implies that you generated keys after doing the new config. Is that correct? While it certainly can not hurt to recreate the keys, I am not optimistic that it will fix the problem.

The parts of the config that you posted do not show whether you have configured aaa authentication or not. Perhaps you can clarify this?

It might also be helpful to give us the exact error message that you get when you attempt ssh access.

If we do not find a solution otherwise it might be helpful to do debug for ssh, attempt access, and post the debug output.

HTH

Rick

HTH

Rick

gmaccisco1 · ‎12-14-2006

You arte right, the rsa key was created after I lost the config and reconfigured the route and yes, recreating the rsa didn't fix my problem.

when I run the Putty ssh, I get to the router's login,asking me for username and then password. I enter the username and then password but it comes back and tell me that access denied.

I have not configure aaa yet but I will after a few days for my Cisco Secure ACS TACACS+ installation is finished.

I have tried all that i could but still having problem.

how can I delete the vty lines and recreate? the no line vty 0 3 and no line vty 4 doesn't do the trick.

Thanks,

Masood

gmaccisco1 · ‎12-14-2006

Hi Rick,

here is the debug ssh output:

border-p#sh logging

Syslog logging: enabled (11 messages dropped, 2 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 256554 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level notifications, 6135 message lines logged

--More--

Log Buffer (4096 bytes):

O

256572: Dec 14 09:18:14.662 UTC: SSH2 0: ssh_receive: 276 bytes received

256573: Dec 14 09:18:14.662 UTC: SSH2 0: input: packet len 256

256574: Dec 14 09:18:14.662 UTC: SSH2 0: partial packet 16, need 240, maclen 20

256575: Dec 14 09:18:14.662 UTC: SSH2 0: MAC #6 ok

256576: Dec 14 09:18:14.662 UTC: SSH2 0: input: padlen 197

256577: Dec 14 09:18:14.666 UTC: SSH2 0: received packet type 50

56619: Dec 14 09:18:36.712 UTC: SSH0: sent protocol version id SSH-1.99-Cisco-1.25

256620: Dec 14 09:18:36.716 UTC: SSH0: protocol version id is - SSH-1.5-OpenSSH_3.7.1p2

256621: Dec 14 09:18:36.716 UTC: SSH0: SSH_SMSG_PUBLIC_KEY msg

256622: Dec 14 09:18:36.817 UTC: SSH0: Session disconnected - error 0x07len 32 (includes padlen 13)

256581: Dec 14 09:18:16.666 UTC: SSH2 0: done calc MAC out #7

256583: Dec 14 09:18:17.310 UTC: SSH2 0: ssh_receive: 276 bytes received

256584: Dec 14 09:18:17.310 UTC: SSH2 0: input: packet len 256

256585: Dec 14 09:18:17.310 UTC: SSH2 0: partial packet 16, need 240, maclen 20

256586: Dec 14 09:18:17.310 UTC: SSH2 0: MAC #7 ok

256587: Dec 14 09:18:17.310 UTC: SSH2 0: input: padlen 207

256588: Dec 14 09:18:17.310 UTC: SSH2 0: received packet type 50

256591: Dec 14 09:18:19.310 UTC: SSH2 0: send: len 32 (includes padlen 13)

256592: Dec 14 09:18:19.310 UTC: SSH2 0: done calc MAC out #8

256596: Dec 14 09:18:22.879 UTC: SSH2 0: ssh_receive: 276 bytes received

256597: Dec 14 09:18:22.879 UTC: SSH2 0: input: packet len 256

256598: Dec 14 09:18:22.879 UTC: SSH2 0: partial packet 16, need 240, maclen 20

256599: Dec 14 09:18:22.879 UTC: SSH2 0: MAC #8 ok

256600: Dec 14 09:18:22.879 UTC: SSH2 0: input: padlen 197

256601: Dec 14 09:18:22.879 UTC: SSH2 0: received packet type 50

256604: Dec 14 09:18:24.879 UTC: SSH2 0: authentication failed for userid (code=1)

256605: Dec 14 09:18:24.979 UTC: SSH0: Session disconnected - error 0x09

border-p#

hope this show what the issue might be. i think there is a ssh version problem here!

your thoghts??

Thx,

Masood

Richard Burts · ‎12-14-2006

Masood

Before you lost the config and the SSH access was working was it configured for aaa?

I am wondering if the issue is that SSH wants both a user name and a password but the default authentication on the vty ports only uses a password. I wonder if you were to configure a username and password on the router and then were to configure the vty ports with login local (which will authenticate with the username and password configured) if you would solve the authentication problem.

HTH

Rick

HTH

Rick

gmaccisco1 · ‎12-14-2006

here is what i did: deleted rsa key

configured the vty lines for login local and password set as the enable secret for the username but I still get access-deined when I try to access the router using Putty ssh.

I realy don't know what else is there to configure?

border-p(config)#cry key generate rsa

The name for the keys will be: border-p.gmac

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

border-p(config)#exit

border-p#wr mem

Building configuration...

[OK]

border-p#

your thoughs?/

thx,

Masood

Richard Burts · ‎12-14-2006

Masood

I can not tell from your message whether you followed all of my suggestion about login local. When you do login local it is important that there be at least one username and password configured on the router.

for example: username masood password letmein

Then try ssh with the username of masood and the password as letmein

Also it would be helpful to know if the router was configured with aaa when it was working correctly before the config was lost.

HTH

Rick

HTH

Rick

gmaccisco1 · ‎12-14-2006

I have done that many times so far..

Thx,

Masood

gmaccisco1 · ‎12-14-2006

OK Guys,

Its now fixed and thanks all of you who shared your thoughs with me.

It was solely an authenticatio issue. I deleted rsa and then deleted all th eusernames I had in the configuration and recreated the username, then generated the rsa keys and that fixed the ssh access to this router.

Thank you very much for all th egood ideas.

Regards,

Masood

Richard Burts · ‎12-14-2006

Masood

I am glad that you got it fixed.

Thanks for posting to the forum indicating what the solution was. It makes the forum more useful when people can read about a problem and can read what solution resolved the problem.

HTH

Rick

HTH

Rick

gmaccisco1 · ‎12-14-2006

You are welcom Rick. thans for helping me. all the responses were right and to the point.

we use this froum and we need to take care of it.

Thx,

Masood

valmatrix · ‎04-13-2012

Hi there.

I had the same issue, and after readind this, I try only to change "login" to "login local". Then I was sucessfull acessing my router via SSH.

Thanks.