cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
5
Replies

Strange ssh/telnet login problem

igor.hamzic
Level 1
Level 1

Hi all. I have discovered a strange situation on my 6500 switch that I cannot quite explain except that it is some sort of a bug. The problem is that I have configured that only ssh connections should be allowed for the vty lines but I have quite accidentaly discovered that I can still telnet into the switch for some reason. SSH works fine but the switch asks me for the username and password when I Telnet to it altough Telnet connections to the switch shouldn't be allowed.

The configuration of vty lines is as follows:

line vty 0 4

exec-timeout 15 0

password 7 x

login authentication local_login

transport preferred ssh

transport input ssh

transport output all

The supervisor is using the s72033-ipservicesk9_wan-mz.122-33.SXH6 image. Could this be a bug in the IOS image?

Thanks in advance for the help.

1 Accepted Solution

Accepted Solutions

Thanks for the additional information. It shows that there are additional vty lines. You have not configured anything for vty 5 to 15 but it looks like they exist and therefore they would have default configuration - which would include by default support for telnet connections. I am pretty sure that if you want to test it you could telnet to the switch, then do a show user and you would find that the telnet session if on vty 5 to 15.

If you want to disable the additional vty lines then the best thing is to configure

line vty 5 15

no exec

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Is it possible that there are vty lines beyond 4? Can you post the output of show line?

HTH

Rick

HTH

Rick

Vty lines 5 to 15 are not configured. Here's the full output of the show command:

line vty 0 4

exec-timeout 15 0

password 7 x

login authentication local_login

transport preferred ssh

transport input ssh

transport output all

line vty 5 15

!

Thanks for the additional information. It shows that there are additional vty lines. You have not configured anything for vty 5 to 15 but it looks like they exist and therefore they would have default configuration - which would include by default support for telnet connections. I am pretty sure that if you want to test it you could telnet to the switch, then do a show user and you would find that the telnet session if on vty 5 to 15.

If you want to disable the additional vty lines then the best thing is to configure

line vty 5 15

no exec

HTH

Rick

HTH

Rick

I always assumed that if I didn't configure the lines they would remain inactive. It was wrong to assume that I see. Your solution worked and I really did see connection on line 5 when I showed users. I applied your solution and the problem was solved.

Thanks for your help

It is an issue where it is very easy to not understand it correctly - especially for many of us that are so used to having only vty 0 4 - which was the standard for so very long. It is easy to assume that if you did not configure anything for it and if nothing shows up in show run, that there is not anything on those vty lines. But there is the default configuration

I am glad that my suggestions helped you to solve your problem. Thank you for using the rating system to mark this question as answered (and thanks for the points). It makes the forum more useful when people can read about a problem and can know that a solution was found. Your marking has contributed to this process.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: