ssh login issue!

Mohit Chauhan · ‎02-09-2012

Hi friends,

I have some interesting behaviour with ssh. its not working for some reason and i am trying to get to the root cause behind it-usually it is fairly simple job, but for some reason its giving me a hard time at this instance.

on the router on which i am trying to ssh on, i see the following error message:

ssh x.x.x.x

Password:

mohitchauhan@x.x.x.x's password:

Connection closed by x.x.x.x

Then I tried using option -I

ssh -I admin x.x.x.x

no support for PKCS#11.

Password:

mohitchauhan@x.x.x.x's password:

Connection closed by x.x.x.x

I also could not understand what is the error PKCS#11 error??

i checked the config on the router:

Sh run

no aaa new-model

no ip domain lookup

ip domain name coopoxlocal.local

ip name-server 203.21.20.20

ip name-server 203.10.1.9

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-620382552

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-620382552

revocation-check none

rsakeypair TP-self-signed-620382552

!

crypto pki certificate chain TP-self-signed-620382552

certificate self-signed 01

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 36323033 38323535 32301E17 0D313130 38303930 35333432

315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3632 30333832

35353230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

B3148697 BB24A24B 1852C394 5BE926DF 1C18D77B 68EB92ED B705FA5F EC824C74

73E914B8 0BC76128 18E240CD 43B912A2 B3D92051 E8E62DF1 3A061913 B5AA0C9F

E2FDBAEC 8537902A 8426306F A00F5293 997F67AC 76AA151D 6A000EF2 285006A0

38D3788D 95E314E9 D8F7656D D3E930A3 AEBE56BE AAB6517B 72B96BC3 B291929B

02030100 01A37530 73300F06 03551D13 0101FF04 05300301 01FF3020 0603551D

11041930 17821543 4F323930 302E796F 7572646F 6D61696E 2E636F6D 301F0603

551D2304 18301680 1479A6A8 58258D6F FD25A349 B15FAB4C 583F1366 3C301D06

03551D0E 04160414 79A6A858 258D6FFD 25A349B1 5FAB4C58 3F13663C 300D0609

2A864886 F70D0101 04050003 81810087 FBE8C083 511E621D 24129B2C FF721233

DED954DA 9B9433A8 E4E8F549 7ABAB6EF 8A87C26E 598112FA 9212C703 8868E2BB

CC24A777 3DADD27B 5927026C 6CBF4AA3 DA64FF62 9541856B C90B7138 F0730FCF

CD7AFBB2 7549CF26 72CE4D0C E114CE08 F3C2C986 FA054E92 1B9D7244 F287B90C

A4977454 3E91B17E F1965934 2E3531

quit

license udi pid CISCO2901/K9 sn FGL153021F0

!

username admin privilege 15 secret 5 $1$AtSA$4kZ6JPI04FAoAFW0nnOpp.

!

ip ssh version 2

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

end

Also ran the below command:

RouterA#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCzFIaXuySiSxhSw5Rb6SbfHBjXe2jrku23

Bfpf7IJMdHPpFLgLx2EoGOJAzUO5EqKz2SBR6OYt8ToGGRO1qgyf4v267IU3kCqE

JjBvoA9Sk5l/Z6x2qhUdagAO8ihQBqA403iNleMU6dj3ZW3T6TCjrr5Wvqq2UXty

uWvDspGSmw==

I couldnt understand where things are not working?

Thanks in advance friends!!

Regards,

Mohit Chauhan · ‎02-09-2012

Hi team

Just a quick update here, i was trying incorrect parameter while using the option with ssh giving me the error PKCS#11.

Actually i should have used -l (ie small L) and i thought it to be -I (capital I, for India).

However, the strange thing is it works only if use the -l option and specify the username. Why cannot i do it directly like "ssh x.x.x.x". It is asking me for password when i do this way, but never accepts that password.

thanks!

Richard Burts · ‎02-09-2012

where are you attempting SSH from when you try simply ssh x.x.x.x? And how are you initiating the SSH? Is it at a command line, or in a terminal emulator (such as SecureCRT or TeraTerm, or Hyperterm)? I know that sometimes if I initiate SSH from a command prompt on a device where I am already authenticated it will supply the user name in the connection request and I just get a prompt for password, which is what you describe. So the question might be whether this is happening and if so is the device supplying the user name admin (which is what you have configured on the router).

HTH

Rick

HTH

Rick

Mohit Chauhan · ‎02-12-2012

Hi Rick

We were trying to login from different places. I was trying to login from emulator (putty) directly. Another person was trying the same way but different emulator from another place on the internet.

The ip address we were using was a public ip.

Interesting thing was, once I used my mac pc's shell window to login using option -l username , it started working from the normal window pc putty application directly.

And since then it has been working wihtout any issue.

Thanks for your help anyway!

Regards,

Mohit

Richard Burts · ‎02-13-2012

Mohit

Thanks for the update and telling us that it is working now. I am a bit puzzled about what it would have been that prevented your SSH attempts and then started working when the SSH was initiated from the mac. I guess the important thing is that now it is working for you

HTH

Rick

HTH

Rick

NormMuelleman · ‎02-13-2012

Mohit;

I just had a similar issue with this. But something caught my eye, so let me ask you something..

Have you had connectivity via SSH before? Was something changed?

The reason I ask is I see the following statement:

line vty 0 4

privilege level 15

login local

transport input telnet ssh

It appears that the vty 0 4 is wanting a local username/password. Which, btw, you may want to change that username from what it is...

Does the device you are SSH'ing from have transport output ssh configured?

Also, one of the problems I encountered was that I could connect to the device. I got the warning banner, and it asked for my password. But after three times, it booted me like yours is. Turns out my default gateway was set incorrectly on the device I was attempting to SSH from.

Just a couple things to help troubleshoot...

Oh, and I take it you're not using aaa at all? I saw the no aaa new-model. That points to a possible incorrect password as well, stored locally on the device. I've found that in the past..someone forgot a device during password change time

Mohit Chauhan · ‎02-13-2012

Hi Norm

Below ae my answers to your query.

I had set the ssh for the first time on the device but surely i had changed the username & password myself and made sure it showed up on the sho run.

I was initiating ssh from an apple laptop using its terminal window (shell) so there was no way I could do something like "transport output" settings (unless it is done internally somewhere on the mac pc)

locally I could login without any problem. and once i logged in using the mac pc, it went all smoothly ever since.

That is really weird that having reached the router login page and not making through after 3 -4 password attempts issue was resolved by fixing the default gateway on the initiating device. I would have thought reaching the router login would eliminate any routing related concern.

Thanks for sharing your experience and i am glad things are working now.

Regards,

Mohit