cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3955
Views
0
Helpful
11
Replies

telnet and ssh configurations

sarahr202
Level 5
Level 5

Hi every body!

My book shows the following configuration:

line vty 0 15

login

password cisco

=================

Book says " The 'line vty 0 15' configuration command tells the switch

that commands that follows apply to to all 16 possible concurrent virtual terminal connections to the switch,which includes telnet as well as SSH access"

My understanding is , given the above config, ssh access is not possible as ssh access requires atleast username and password be confgured . So basically the above config is only valid for telnet. But the excerpt from the book, quoted above,says ( the last line) the above config apply to both telnet and ssh.

========================================

Please consider the following config:

2) line vty 0 15

login local

transport input telnet ssh

username sarah password cisco

crypto key generate rsa

my question is if i have to telnet to this switch, will i be prompted for username and password? or i will be prompted for username and password only if i connect via ssh?

thanks a lot!

5 Accepted Solutions

Accepted Solutions

davy.timmermans
Level 4
Level 4

for the first question:

Authentication through the line password is not possible with SSH.

It will work for sure when the login/password is overriden by AAA :

aaa new-model

aaa authentication login default local xxx

instead of local could also be group radius/tacacs used.

for the second question:

yes you'll be prompted for a username and password

View solution in original post

Edison Ortiz
Hall of Fame
Hall of Fame

While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.

HTH,

Edit:

Current configuration : 1268 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CE2

!

boot-start-marker

boot-end-marker

!

aaa new-model

aaa authentication login default line enable

enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0

!

ip subnet-zero

ip cef

!

!

ip domain-name CISCO.COM

!

!

!

interface Loopback0

ip address 10.1.2.1 255.255.255.255

no clns route-cache

!

interface FastEthernet0/0

no ip address

duplex half

no clns route-cache

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

duplex full

speed auto

no clns route-cache

!

interface FastEthernet1/1

ip address 172.16.32.2 255.255.255.0

duplex auto

speed auto

no clns route-cache

!

router eigrp 10

passive-interface FastEthernet1/1

network 0.0.0.0

no auto-summary

!

ip classless

!

no ip http server

!

!

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password cisco

transport input ssh

!

!

end

__________________

connecting from remote router:

CE1#ssh -l sara 172.16.32.2

Password:

CE2>en

Password:

CE2#

__

Edison.

View solution in original post

Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.

HTH,

__

Edison.

View solution in original post

Zeeshan,

In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.

HTH,

Toshi

View solution in original post

Your books seems outdated, the default used to be 'all', now it's none.

http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885

HTH,

__

Edison.

View solution in original post

11 Replies 11

davy.timmermans
Level 4
Level 4

for the first question:

Authentication through the line password is not possible with SSH.

It will work for sure when the login/password is overriden by AAA :

aaa new-model

aaa authentication login default local xxx

instead of local could also be group radius/tacacs used.

for the second question:

yes you'll be prompted for a username and password

for the second question:

yes you'll be prompted for a username and password

Do you mean , even i when telnet, i will be prompted for user name and password ?

thanks a lot!

Edison Ortiz
Hall of Fame
Hall of Fame

While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.

HTH,

Edit:

Current configuration : 1268 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CE2

!

boot-start-marker

boot-end-marker

!

aaa new-model

aaa authentication login default line enable

enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0

!

ip subnet-zero

ip cef

!

!

ip domain-name CISCO.COM

!

!

!

interface Loopback0

ip address 10.1.2.1 255.255.255.255

no clns route-cache

!

interface FastEthernet0/0

no ip address

duplex half

no clns route-cache

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

duplex full

speed auto

no clns route-cache

!

interface FastEthernet1/1

ip address 172.16.32.2 255.255.255.0

duplex auto

speed auto

no clns route-cache

!

router eigrp 10

passive-interface FastEthernet1/1

network 0.0.0.0

no auto-summary

!

ip classless

!

no ip http server

!

!

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password cisco

transport input ssh

!

!

end

__________________

connecting from remote router:

CE1#ssh -l sara 172.16.32.2

Password:

CE2>en

Password:

CE2#

__

Edison.

Edison is correct it will use a normal line password if say a tacacs or radius server is unavailable , we have this all over our enterprise .

thanks Edison!

Hi Edison!

Just got one more question if you don't mind.

line vty 0 15

login local

username sarah password cisco

Will the above config require username sarah and password cisco from telnet user ?

Thanks a lot!

Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.

HTH,

__

Edison.

Zeeshan,

In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.

HTH,

Toshi

thanks Edison.

"Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh."

According to my book, transport input telnet is on by default. That also means only telnet connection will be allowed and telnet users will be prompted for username and passwords. To allow ssh connection, we must configure " transport input telnet ssh".

Am i correct?

thanks a lot and have a nice day!

HTH,

Your books seems outdated, the default used to be 'all', now it's none.

http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885

HTH,

__

Edison.

Sarah,

I want to correct my previous statement.

That section of the documentation needs to be updated. It does mention in the 'Usage Guidelines' that the default 'none' applies to TTY connections but there is no mention of VTY connections.

I did a little digging and it seems the VTY connections default is set to 'all' but the documentation makes no mention of it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: