cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
2
Replies

vty backdoor

yunsog
Level 1
Level 1

ICND and BSCI mentions that "Some experts recommend that you configure one of the vty terminal lines differently than the others. This way have a back door into the router"

Could you explain how to make a back door to the router and how to connect with the back door?

2 Accepted Solutions

Accepted Solutions

kkalaycioglu
Level 4
Level 4

Suppose you're running TACACS or RADIUS for login and enable authentication, authorization and accounting to Cisco devices.You'll probably have lines like these:

aaa new-model

aaa authentication login login-telnet group tacacs+ local

aaa authentication enable default group tacacs+ enable

And:

line vty 0 4

login authentication login-telnet

In some problem cases (suppose tacacs is running but you router isn't defined on it) you may nat telnet to the router. If you add this line:

aaa authentication login loginlocal local

And apply this method (loginlocal) to the vty 4 line:

line vty 0 3

login authentication login-telnet

line vty 4

login authentication loginlocal

This way in worst case scenario you open 5 telnet sessions to the router and fifth session will use only local passwords (Assuming you defined "username.....password...." commands).

Regards.

View solution in original post

You can also add "rotary 1" under line vty 4 so that the system admin can access that vty directly. To do so the administrator (or anybody else for that matter) has to use the following command: telnet 3001.

For more information on the rotary command, see the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7e8d.html#1108305

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

2 Replies 2

kkalaycioglu
Level 4
Level 4

Suppose you're running TACACS or RADIUS for login and enable authentication, authorization and accounting to Cisco devices.You'll probably have lines like these:

aaa new-model

aaa authentication login login-telnet group tacacs+ local

aaa authentication enable default group tacacs+ enable

And:

line vty 0 4

login authentication login-telnet

In some problem cases (suppose tacacs is running but you router isn't defined on it) you may nat telnet to the router. If you add this line:

aaa authentication login loginlocal local

And apply this method (loginlocal) to the vty 4 line:

line vty 0 3

login authentication login-telnet

line vty 4

login authentication loginlocal

This way in worst case scenario you open 5 telnet sessions to the router and fifth session will use only local passwords (Assuming you defined "username.....password...." commands).

Regards.

You can also add "rotary 1" under line vty 4 so that the system admin can access that vty directly. To do so the administrator (or anybody else for that matter) has to use the following command: telnet 3001.

For more information on the rotary command, see the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7e8d.html#1108305

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: