Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

vty backdoor

ICND and BSCI mentions that "Some experts recommend that you configure one of the vty terminal lines differently than the others. This way have a back door into the router"

Could you explain how to make a back door to the router and how to connect with the back door?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: vty backdoor

Suppose you're running TACACS or RADIUS for login and enable authentication, authorization and accounting to Cisco devices.You'll probably have lines like these:

aaa new-model

aaa authentication login login-telnet group tacacs+ local

aaa authentication enable default group tacacs+ enable

And:

line vty 0 4

login authentication login-telnet

In some problem cases (suppose tacacs is running but you router isn't defined on it) you may nat telnet to the router. If you add this line:

aaa authentication login loginlocal local

And apply this method (loginlocal) to the vty 4 line:

line vty 0 3

login authentication login-telnet

line vty 4

login authentication loginlocal

This way in worst case scenario you open 5 telnet sessions to the router and fifth session will use only local passwords (Assuming you defined "username.....password...." commands).

Regards.

Cisco Employee

Re: vty backdoor

You can also add "rotary 1" under line vty 4 so that the system admin can access that vty directly. To do so the administrator (or anybody else for that matter) has to use the following command: telnet 3001.

For more information on the rotary command, see the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7e8d.html#1108305

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
2 REPLIES

Re: vty backdoor

Suppose you're running TACACS or RADIUS for login and enable authentication, authorization and accounting to Cisco devices.You'll probably have lines like these:

aaa new-model

aaa authentication login login-telnet group tacacs+ local

aaa authentication enable default group tacacs+ enable

And:

line vty 0 4

login authentication login-telnet

In some problem cases (suppose tacacs is running but you router isn't defined on it) you may nat telnet to the router. If you add this line:

aaa authentication login loginlocal local

And apply this method (loginlocal) to the vty 4 line:

line vty 0 3

login authentication login-telnet

line vty 4

login authentication loginlocal

This way in worst case scenario you open 5 telnet sessions to the router and fifth session will use only local passwords (Assuming you defined "username.....password...." commands).

Regards.

Cisco Employee

Re: vty backdoor

You can also add "rotary 1" under line vty 4 so that the system admin can access that vty directly. To do so the administrator (or anybody else for that matter) has to use the following command: telnet 3001.

For more information on the rotary command, see the following URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7e8d.html#1108305

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
166
Views
0
Helpful
2
Replies
CreatePlease to create content