Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

telnet and ssh configurations

Hi every body!

My book shows the following configuration:

line vty 0 15

login

password cisco

=================

Book says " The 'line vty 0 15' configuration command tells the switch

that commands that follows apply to to all 16 possible concurrent virtual terminal connections to the switch,which includes telnet as well as SSH access"

My understanding is , given the above config, ssh access is not possible as ssh access requires atleast username and password be confgured . So basically the above config is only valid for telnet. But the excerpt from the book, quoted above,says ( the last line) the above config apply to both telnet and ssh.

========================================

Please consider the following config:

2) line vty 0 15

login local

transport input telnet ssh

username sarah password cisco

crypto key generate rsa

my question is if i have to telnet to this switch, will i be prompted for username and password? or i will be prompted for username and password only if i connect via ssh?

thanks a lot!

5 ACCEPTED SOLUTIONS

Accepted Solutions

Re: telnet and ssh configurations

for the first question:

Authentication through the line password is not possible with SSH.

It will work for sure when the login/password is overriden by AAA :

aaa new-model

aaa authentication login default local xxx

instead of local could also be group radius/tacacs used.

for the second question:

yes you'll be prompted for a username and password

Hall of Fame Super Bronze

Re: telnet and ssh configurations

While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.

HTH,

Edit:

Current configuration : 1268 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CE2

!

boot-start-marker

boot-end-marker

!

aaa new-model

aaa authentication login default line enable

enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0

!

ip subnet-zero

ip cef

!

!

ip domain-name CISCO.COM

!

!

!

interface Loopback0

ip address 10.1.2.1 255.255.255.255

no clns route-cache

!

interface FastEthernet0/0

no ip address

duplex half

no clns route-cache

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

duplex full

speed auto

no clns route-cache

!

interface FastEthernet1/1

ip address 172.16.32.2 255.255.255.0

duplex auto

speed auto

no clns route-cache

!

router eigrp 10

passive-interface FastEthernet1/1

network 0.0.0.0

no auto-summary

!

ip classless

!

no ip http server

!

!

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password cisco

transport input ssh

!

!

end

__________________

connecting from remote router:

CE1#ssh -l sara 172.16.32.2

Password:

CE2>en

Password:

CE2#

__

Edison.

Hall of Fame Super Bronze

Re: telnet and ssh configurations

Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.

HTH,

__

Edison.

Re: telnet and ssh configurations

Zeeshan,

In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.

HTH,

Toshi

Hall of Fame Super Bronze

Re: telnet and ssh configurations

Your books seems outdated, the default used to be 'all', now it's none.

http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885

HTH,

__

Edison.

11 REPLIES

Re: telnet and ssh configurations

for the first question:

Authentication through the line password is not possible with SSH.

It will work for sure when the login/password is overriden by AAA :

aaa new-model

aaa authentication login default local xxx

instead of local could also be group radius/tacacs used.

for the second question:

yes you'll be prompted for a username and password

Bronze

Re: telnet and ssh configurations

for the second question:

yes you'll be prompted for a username and password

Do you mean , even i when telnet, i will be prompted for user name and password ?

thanks a lot!

Hall of Fame Super Bronze

Re: telnet and ssh configurations

While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.

HTH,

Edit:

Current configuration : 1268 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CE2

!

boot-start-marker

boot-end-marker

!

aaa new-model

aaa authentication login default line enable

enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0

!

ip subnet-zero

ip cef

!

!

ip domain-name CISCO.COM

!

!

!

interface Loopback0

ip address 10.1.2.1 255.255.255.255

no clns route-cache

!

interface FastEthernet0/0

no ip address

duplex half

no clns route-cache

!

interface FastEthernet1/0

ip address 192.168.2.1 255.255.255.0

duplex full

speed auto

no clns route-cache

!

interface FastEthernet1/1

ip address 172.16.32.2 255.255.255.0

duplex auto

speed auto

no clns route-cache

!

router eigrp 10

passive-interface FastEthernet1/1

network 0.0.0.0

no auto-summary

!

ip classless

!

no ip http server

!

!

!

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

password cisco

transport input ssh

!

!

end

__________________

connecting from remote router:

CE1#ssh -l sara 172.16.32.2

Password:

CE2>en

Password:

CE2#

__

Edison.

Purple

Re: telnet and ssh configurations

Edison is correct it will use a normal line password if say a tacacs or radius server is unavailable , we have this all over our enterprise .

Bronze

Re: telnet and ssh configurations

thanks Edison!

Bronze

Re: telnet and ssh configurations

Hi Edison!

Just got one more question if you don't mind.

line vty 0 15

login local

username sarah password cisco

Will the above config require username sarah and password cisco from telnet user ?

Thanks a lot!

Hall of Fame Super Bronze

Re: telnet and ssh configurations

Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.

HTH,

__

Edison.

Re: telnet and ssh configurations

Zeeshan,

In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.

HTH,

Toshi

Bronze

Re: telnet and ssh configurations

thanks Edison.

"Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh."

According to my book, transport input telnet is on by default. That also means only telnet connection will be allowed and telnet users will be prompted for username and passwords. To allow ssh connection, we must configure " transport input telnet ssh".

Am i correct?

thanks a lot and have a nice day!

HTH,

Hall of Fame Super Bronze

Re: telnet and ssh configurations

Your books seems outdated, the default used to be 'all', now it's none.

http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885

HTH,

__

Edison.

Hall of Fame Super Bronze

Re: telnet and ssh configurations

Sarah,

I want to correct my previous statement.

That section of the documentation needs to be updated. It does mention in the 'Usage Guidelines' that the default 'none' applies to TTY connections but there is no mention of VTY connections.

I did a little digging and it seems the VTY connections default is set to 'all' but the documentation makes no mention of it.

364
Views
0
Helpful
11
Replies