SSH Question
dppagc
Member Posts: 293
First and foremost I am not studying ccna security...
1)
Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
Only enable secret cisco is entered.
2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow
If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.
Why should I configure the ENCRYPTED password and make my life difficult??
Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?
What I have learnt today:
no login - no need password
login - use "line vty 0 4 password cisco" to log in
login local - use username admin password cisco to log on
1)
Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
Only enable secret cisco is entered.
2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow
If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.
Why should I configure the ENCRYPTED password and make my life difficult??
Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?
What I have learnt today:
no login - no need password
login - use "line vty 0 4 password cisco" to log in
login local - use username admin password cisco to log on
Comments
-
Simrid Member Posts: 3271) To create an SSH login, you must have a few things; Domain-name, username+password, login local, transport input ssh and a crypto key. The username and password can be set to whichever you'd like, for example username Simrid password dppagc, however it is recommend you create a secret password which will be in MD5 hash in the running-config. username Simrid secret dppagc. If you would like to change these levels of access, I believe you can use the privilege exec level x command in global config.
2) I believe the this point is if you would like to copy and paste configuration from another device, it enables you to just copy all of the running config and donk it in. I think?
3) You can set the privllage of a user (for security reasons) when you create the user account itself. You should use the privilege level of 1 for user exec mode or 15 to enable them to go into privileged exec mode, heres what the command will look like: username Simrid privilege 15 secret dppagc.Network Engineer | London, UK | Currently working on: CCIE Routing & Switching
sriddle.co.uk
uk.linkedin.com/in/simonriddle -
Hondabuff Member Posts: 667 ■■■□□□□□□□First and foremost I am not studying ccna security...
1)
Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
Only enable secret cisco is entered.
2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow
If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.
Why should I configure the ENCRYPTED password and make my life difficult??
Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?
What I have learnt today:
no login - no need password
login - use "line vty 0 4 password cisco" to log in
login local - use username admin password cisco to log on
1) Create local username and password.
2) Create enable Secret.
3) turn on aaa
4) CORP-R1(config)#aaa authentication login default enable“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln -
theodoxa Member Posts: 1,340 ■■■■□□□□□□
enable secret cisco ip domain-name contoso.com hostname R1 crypto key generate rsa modulus 1024 aaa new-model aaa authentication login LOGIN-SSH enable line vty 0 4 login authentication LOGIN-SSH transport input ssh
*EDIT: I just noticed you were trying to configure it for the VTY lines rather than the Console.
As for Q2, if you save the configuration and the password is configured to be encrypted, then you can copy and paste the command from your saved configuration. The saved configuration will contain (if service password-encryption is enabled) an encrypted copy of the password, so the console gives you the option of specifying the password in either clear text or encrypted.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
alan2308 Member Posts: 1,854 ■■■■■■■■□□2) I believe the this point is if you would like to copy and paste configuration from another device, it enables you to just copy all of the running config and donk it in. I think?
I can't think of any other reason why you would want to enter an encrypted password. It definitely left me wonder for a long time the first time I saw it. -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□1. Enable secret is only for enable mode...not to login remotely. I.e. when you get in the CLI and type en.
2. Use 'username x secret y' ... using 'password' is not a good practice. The encryption for the passwords is fairly easy to crack...it is more meant to block shoulder surfing.
3. If you are on a console connection, you have physical access and it is assumed you have access controls to prevent access from intruders. Remote access needs to be protected...best practice.
Again do not use the password command...always use secret. -
theodoxa Member Posts: 1,340 ■■■■□□□□□□TechGuru80 wrote: »1. Enable secret is only for enable mode...not to login remotely. I.e. when you get in the CLI and type en.
You can specify the enable password/secret as an authentication method using AAA method lists.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]