SSH Question

dppagcdppagc Member Posts: 293
First and foremost I am not studying ccna security...

1)
Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
Only enable secret cisco is entered.

2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow

If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.

Why should I configure the ENCRYPTED password and make my life difficult??

Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?

What I have learnt today:
no login - no need password
login - use "line vty 0 4 password cisco" to log in
login local - use username admin password cisco to log on

Comments

  • SimridSimrid Member Posts: 327
    1) To create an SSH login, you must have a few things; Domain-name, username+password, login local, transport input ssh and a crypto key. The username and password can be set to whichever you'd like, for example username Simrid password dppagc, however it is recommend you create a secret password which will be in MD5 hash in the running-config. username Simrid secret dppagc. If you would like to change these levels of access, I believe you can use the privilege exec level x command in global config.

    2) I believe the this point is if you would like to copy and paste configuration from another device, it enables you to just copy all of the running config and donk it in. I think?

    3) You can set the privllage of a user (for security reasons) when you create the user account itself. You should use the privilege level of 1 for user exec mode or 15 to enable them to go into privileged exec mode, heres what the command will look like: username Simrid privilege 15 secret dppagc.
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    dppagc wrote: »
    First and foremost I am not studying ccna security...

    1)
    Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
    Only enable secret cisco is entered.

    2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow

    If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.

    Why should I configure the ENCRYPTED password and make my life difficult??

    Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?

    What I have learnt today:
    no login - no need password
    login - use "line vty 0 4 password cisco" to log in
    login local - use username admin password cisco to log on



    1) Create local username and password.
    2) Create enable Secret.
    3) turn on aaa
    4) CORP-R1(config)#aaa authentication login default enable
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    enable secret cisco
    ip domain-name contoso.com
    hostname R1
    crypto key generate rsa modulus 1024
    aaa new-model
    aaa authentication login LOGIN-SSH enable
    line vty 0 4
      login authentication LOGIN-SSH
      transport input ssh
    

    *EDIT: I just noticed you were trying to configure it for the VTY lines rather than the Console.

    As for Q2, if you save the configuration and the password is configured to be encrypted, then you can copy and paste the command from your saved configuration. The saved configuration will contain (if service password-encryption is enabled) an encrypted copy of the password, so the console gives you the option of specifying the password in either clear text or encrypted.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • alan2308alan2308 CISSP, MCSA 2008, MCSA 2012, CCNA R&S, CCNA Security Ann Arbor, MIMember Posts: 1,854 ■■■■■■■■□□
    Simrid wrote: »
    2) I believe the this point is if you would like to copy and paste configuration from another device, it enables you to just copy all of the running config and donk it in. I think?

    I can't think of any other reason why you would want to enter an encrypted password. It definitely left me wonder for a long time the first time I saw it.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    1. Enable secret is only for enable mode...not to login remotely. I.e. when you get in the CLI and type en.

    2. Use 'username x secret y' ... using 'password' is not a good practice. The encryption for the passwords is fairly easy to crack...it is more meant to block shoulder surfing.

    3. If you are on a console connection, you have physical access and it is assumed you have access controls to prevent access from intruders. Remote access needs to be protected...best practice.

    Again do not use the password command...always use secret.
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    TechGuru80 wrote: »
    1. Enable secret is only for enable mode...not to login remotely. I.e. when you get in the CLI and type en.

    You can specify the enable password/secret as an authentication method using AAA method lists.
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
Sign In or Register to comment.