SSH login access denied
GDaines
Member Posts: 273 ■■■□□□□□□□
in CCNA & CCENT
Firstly thanks to the users that helped me resolve my last issue, but now I have a new one.
I'm practicing IOS commands using a physical 1841 router running "Cisco IOS Software, 1841 Software (C1841-SPSERVICESK9-M), Version 12.4(6)T7, RELEASE SOFTWARE (fc5)". I've followed the section in the Sybex/Todd Lammle book to set up ssh as follows:
Router (config)# hostname Cisco1841
Cisco1841 (config)# ip domain-name domain.co.uk
Cisco1841 (config)# username user password password
Cisco1841 (config)# crypto key generate rsa
Cisco1841 (config)# ip ssh version 2
Cisco1841 (config)# line vty 0 15
Cisco1841 (config-line)# transport input ssh telnet
^Z
Cisco1841#
At this point I realised I'd got no IP address set so did a little bit more configuration:
Cisco1841 (config)# ip interface fastethernet 0/0
Cisco1841 (config-if)# ip address 192.168.1.100 255.255.0.0
Cisco1841 (config-if)# no shutdown
^Z
Cisco1841# copy start run
So now the router is connected to my live switch via Ethernet cable as is my PC on which I've been using Putty to configure the router via the console. I can ping the router from a command prompt so I've tried to connect to it using Putty's default settings (Connect via SSH, IP 192.168.1.100 port 22). It prompts for a username and then a password, but whatever password I enter I just get "Access denied" and after 5 attempts the connection is closed.
I'm practicing IOS commands using a physical 1841 router running "Cisco IOS Software, 1841 Software (C1841-SPSERVICESK9-M), Version 12.4(6)T7, RELEASE SOFTWARE (fc5)". I've followed the section in the Sybex/Todd Lammle book to set up ssh as follows:
Router (config)# hostname Cisco1841
Cisco1841 (config)# ip domain-name domain.co.uk
Cisco1841 (config)# username user password password
Cisco1841 (config)# crypto key generate rsa
Cisco1841 (config)# ip ssh version 2
Cisco1841 (config)# line vty 0 15
Cisco1841 (config-line)# transport input ssh telnet
^Z
Cisco1841#
At this point I realised I'd got no IP address set so did a little bit more configuration:
Cisco1841 (config)# ip interface fastethernet 0/0
Cisco1841 (config-if)# ip address 192.168.1.100 255.255.0.0
Cisco1841 (config-if)# no shutdown
^Z
Cisco1841# copy start run
So now the router is connected to my live switch via Ethernet cable as is my PC on which I've been using Putty to configure the router via the console. I can ping the router from a command prompt so I've tried to connect to it using Putty's default settings (Connect via SSH, IP 192.168.1.100 port 22). It prompts for a username and then a password, but whatever password I enter I just get "Access denied" and after 5 attempts the connection is closed.
Comments
-
clarson
Member Posts: 903 ■■■■□□□□□□
did you mean to do a copy run start instead of a copy start run
check your ports and see if they are still up. show ip interface br -
GDaines
Member Posts: 273 ■■■□□□□□□□
did you mean to do a copy run start instead of a copy start run
check your ports and see if they are still up. show ip interface br
Yes, copy the running-config to the startup-config so that after I reboot all the changes I've made are retained. If I'd have overwritten the running-config with the startup-config (by using copy start run) then all my changes would have been lost and I'd have had to start again.
FastEthernet0/0 has the correct IP address, status is up and protocol is up.
FastEthernet0/1 is unassigned, status is administratively down and protocol is down. -
Deathmage
Banned Posts: 2,496
right off the bat I see your problem.
You setup a username but since you only did line vty 0 15 and a transport input ssh telnet and then saved your only going to be able to login with a enable password which also isn't set.
If you want to login with the username, under the line vty 0 15 you need to add this line 'login local' for you to use the username 'user' and password 'password' as specified above. Also you will need to specify a enable password for you to get to privileged mode with the 'enable secret [insert password]' command for when you do establish the ssh/telnet session.
Try adding that to the configuring, saving it and then login in via SSH or telnet.
made an exact replica of your lab in packet tracer real quick and this is what I got, hope this helps
Router:
Cisco1841# Cisco1841#show ru
Cisco1841#show running-config
Building configuration...
Current configuration : 730 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Cisco1841
!
!
!
enable secret 5 $1$mERr$GvDaTJK9lhdXRUPWKA74O0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
username user password 0 password
!
!
!
!
!
!
!
!
ip ssh version 2
ip domain-name domain.co.uk
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.100 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login local
line vty 5 15
login local
!
!
!
end
Cisco1841#
Cisco1841#
PC:
PC>
PC>telnet 192.168.1.100
Trying 192.168.1.100 ...Open
User Access Verification
Username:
% Username: timeout expired!
[Connection to 192.168.1.100 closed by foreign host]
PC>
PC>
PC>
PC>telnet 192.168.1.100
Trying 192.168.1.100 ...Open
User Access Verification
Username: user
Password:
Cisco1841>enable
Password:
Cisco1841#
Cisco1841#
Cisco1841#
Cisco1841#
Cisco1841#
-
Net_Genuis
Member Posts: 8 ■□□□□□□□□□
Try this cconfiguration:
Cisco1841 (config)# line vty 0 15
Cisco1841 (config-line)# transport input ssh telnet
Cisco1841 (config-line)#login local
To connect using ssh you need the following command:
Cisco1841#ssh -l user 192.168.1.100 -
GDaines
Member Posts: 273 ■■■□□□□□□□
right off the bat I see your problem.
You setup a username but since you only did line vty 0 15 and a transport input ssh telnet and then saved your only going to be able to login with a enable password which also isn't set.
If you want to login with the username, under the line vty 0 15 you need to add this line 'login local' for you to use the username 'user' and password 'password' as specified above. Also you will need to specify a enable password for you to get to privileged mode with the 'enable secret [insert password]' command for when you do establish the ssh/telnet session.
Try adding that to the configuring, saving it and then login in via SSH or telnet.
Ooo that's freaky, looks just like my show run output. And of course you're spot on with your observation so thanks very much.
I already have an "enable secret" set requiring a password to enter privileged mode so I went back to global config mode and issued the "login local" command, logged out and tried to connect again and that has resolved my issue. Strange then that there's absolutely no mention of this in the chapter I'm working through in Lammle's book.
I did find a troubleshooting guide on Cisco (Configuring Secure Shell on Routers and Switches Running Cisco IOS - Cisco) which contained the following, but I didn't understand it (and still don't so more investigation required):
!--- The aaa new-model command causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
line vty 0 4
transport input telnet
!--- Instead of aaa new-model, you can use the login local command.
-
GDaines
Member Posts: 273 ■■■□□□□□□□
As you guys are clearly on the ball and either use Cisco kit in your jobs or have better study material than me (maybe it's covered in a later chapter?), perhaps you can help me clean up. It's not affecting anything negatively as far as I can tell, but because of some previous configuration I have 2 entries in my show run:
line vty 0 4
password telnet
login local
transport input telnet ssh
line vty 5 15
password telnet
login local
transport input telnet ssh
!
Without trying a reset to defaults, or a factory reset if that doesn't work (seems extreme, but it would at least give me more practice setting everything up again), can I remove one of these entries? Or does it even matter? I've just looked at Deathimage's packet tracer output again and like me it has entries for 0-4 and 5-15. -
Net_Genuis
Member Posts: 8 ■□□□□□□□□□
That is normal when you configure line vty 0 15 . It doesn't matter, it good practice because you protected all your vty lines.
-
Deathmage
Banned Posts: 2,496
Ooo that's freaky, looks just like my show run output. And of course you're spot on with your observation so thanks very much.
I already have an "enable secret" set requiring a password to enter privileged mode so I went back to global config mode and issued the "login local" command, logged out and tried to connect again and that has resolved my issue. Strange then that there's absolutely no mention of this in the chapter I'm working through in Lammle's book.
I did find a troubleshooting guide on Cisco (Configuring Secure Shell on Routers and Switches Running Cisco IOS - Cisco) which contained the following, but I didn't understand it (and still don't so more investigation required):
!--- The aaa new-model command causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
line vty 0 4
transport input telnet
!--- Instead of aaa new-model, you can use the login local command.
No worries after you work with the CLI for a while you pick up on things.
Takes time bro, just keep at it!
Get in good practice of things now and it will follow you later. Always good to enable all 16 vty lines as protected. -
mikeybinec
Member Posts: 484 ■■■□□□□□□□
login localCisco NetAcad Cuyamaca College
A.S. LAN Management 2010 Grossmont College
B.S. I.T. Management 2013 National University
