Doubt Regarding Telnet Pwd on cisco router

Dear all

I have a doubt .

If I set different passwords for different lines of Telnet on a cisco 2500 touter how will this work out .

how a user will know which password to be used.

Help me out in getting this conecept.

Thanx

Vinay

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

dublin_101

its funny ha!..

i was talking about this last week with a teacher!!

how do you know which line you are in?...i'd say the answer is: you don't know!

the reason for being able to set different passwords to different lines!!...i'd say the reason is to limit the amount of telnet sessions..........so instead of doing the usual line vty 0 4, maybe they would do line vty 0 1 and apply passwords only to those!!!...

so our assumption was security only......you are allowed three tries at the password!...

let me know if you come to the same asssumption, and if you want, i can try it in my lab!...although like i said, our assumption was only to limit the amount of telnet sessions!...

vinay325mv

Thanx Frnd for your reply ..

I think you are right ..

thanx again

Vinay

mikej412

dublin_101 wrote:

how do you know which line you are in?...i'd say the answer is: you don't know!

the reason for being able to set different passwords to different lines!!...i'd say the reason is to limit the amount of telnet sessions..........so instead of doing the usual line vty 0 4, maybe they would do line vty 0 1 and apply passwords only to those!!!...

Right... you don't know which lines are in use until you login.....

As for password attempts, without AAA, you get 3 tries... then 3 more... then 3 more... then 3 more... then 3 more... etc.

Different passwords on different groups of VTYs also works as a "failsafe" login for admins or others who should always be able to gain access.

In a lab environment, the 5 default telnet sessions could be in use.... so the lab admin wouldn't be able to login unless there was a 6th vty setup with a different password. The lab admin would know to try the "other password" when they can't login. You could just enable additional VTYs... but there is always some idiot who keeps opening new sessions without closing old sessions..... and if the exec timeout is set to never expire, they use all the sessions.

You could "layer" the passwords.... cisco on vty 0-4, bubba on vty 5-8 and bobo on vty 9-12 .... then your 1st level helpdesk could login using the "cisco" password... and only 5 sessions would be available for their use. Your 2nd level helpdesk could also login using the cisco password, and when the first 5 sessions are in use and their login is refused, then they can try the "next password" of bubba which gives them access to sessions 6-9..... The 3rd level helpdesk would login with cisco, and if that didn't work, then they'd try bubba...., and finally, if 9 sessions were already in use, then they would try bobo.... If all 13 defined vty lines were in use -- then 3rd level support would yell or IM their co-workers to see if someone could clear off of a line..... or dispatch someone with a laptop and console cable to see who is using all the VTY sessions.