Options

Allow SSH But Only Set Password No Username

foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
I use the command 

enable password cisco

line vty 0 4
transport input ssh

Do I need a username and password to get into my switch then? 

Comments

  • Options
    JDMurrayJDMurray Admin Posts: 13,049 Admin
    edited May 2023
    GPT-4 Plus sez:

    The configuration you've provided would require a password to access the switch, but it does not specify a requirement for a username.

    The `enable password cisco` command sets the privileged mode (enable) password to "cisco". This password is required to access privileged EXEC mode, where you can make configuration changes.

    The `line vty 0 4` command selects virtual terminal lines for remote console access (such as SSH or Telnet). `transport input ssh` restricts these lines to only accept SSH connections.

    However, you haven't set a password for the VTY lines or specified that a login is required. Therefore, as is, anyone could SSH into the device without needing any username or password.

    To require a password for SSH access, you could add these lines to your configuration:

    line vty 0 4
    password cisco
    login
    transport input ssh

    This would require the password "cisco" for SSH connections. However, this is still not the best practice from a security perspective as it doesn't require a unique username for each user.

    For enhanced security, you can set up local user accounts with unique usernames and passwords, and require SSH connections to authenticate with these accounts. Here's an example:

    username admin password cisco
    !
    line vty 0 4
    login local
    transport input ssh

    In this example, a user would need to authenticate with the username "admin" and the password "cisco" to establish an SSH connection. You could add more user accounts as needed. Note that it's important to choose strong, unique passwords for all user accounts and the enable password.

  • Options
    foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
    What happens if I do this?

    username admin password cisco
    !
    line vty 0 4
    login 
    transport input telnet

    I specify username and password but telnet only requires password.

    What happens if I do this?

    line vty 0 4
    login
    transport input ssh

    There is no password but ssh is allowed. I believe that ssh requires both username and password. Am I right to say this?



  • Options
    JDMurrayJDMurray Admin Posts: 13,049 Admin
    What happens if I do this?

    username admin password cisco
    !
    line vty 0 4
    login 
    transport input telnet

    I specify username and password but telnet only requires password.
    GPT-4 sez:

    In your configuration, you've set up a local username and password (`username admin password cisco`), but in your VTY lines configuration, you've only specified `login` and not `login local`.
    The `login` command without `local` only requires a line password for access and doesn't reference the local username database. Since you've not set a password for the VTY lines (using the `password <password>` command), users won't be able to access the device via Telnet, as it will ask for a password that is not set.

    The `login local` command, on the other hand, would require a valid username/password pair from the local username database.
    If you want to use the local username and password, you would need to use `login local`. If you want to use Telnet with just a password and not a username, you can set a password on the VTY lines like so:

    line vty 0 4
    password cisco
    login
    transport input telnet

    But please remember, Telnet is not secure as it sends all data, including passwords, in clear text. It's recommended to use SSH instead.

    What happens if I do this?

    line vty 0 4
    login
    transport input ssh

    There is no password but ssh is allowed. I believe that ssh requires both username and password. Am I right to say this?
    GPT-4 sez:

    Yes, you're correct.

    SSH does indeed require a username and password. However, in your configuration, you've enabled SSH but have not provided a password for the VTY lines, nor have you provided a local user database using the `username <username> password <password>` command.
    The `login` command on its own will attempt to use line passwords, but since you didn't specify a password with the `password` command under `line vty 0 4`, SSH connections will fail because there's no password set.
    If you want to use SSH, you should create a local user database and specify `login local` under the VTY lines. You should also create a domain name and generate cryptographic keys, which are required for SSH. Here's an example:

    ip domain-name yourdomain.com
    crypto key generate rsa
    !
    username admin password cisco
    !
    line vty 0 4
    login local
    transport input ssh


    In this example, replace `yourdomain.com` with your domain name, `admin` with your desired username, and `cisco` with your desired password. Note that it's important to choose a strong, unique password.
    When you generate RSA keys with `crypto key generate rsa`, you'll be prompted to enter a modulus length. A longer length is more secure, but it requires more processing power. A common choice is 2048 bits.
    With this configuration, users will be able to SSH into the device using the username "admin" and the password "cisco".

  • Options
    foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
    JDMurray said:
    What happens if I do this?

    username admin password cisco
    !
    line vty 0 4
    login 
    transport input telnet

    I specify username and password but telnet only requires password.
    GPT-4 sez:

    In your configuration, you've set up a local username and password (`username admin password cisco`), but in your VTY lines configuration, you've only specified `login` and not `login local`.
    The `login` command without `local` only requires a line password for access and doesn't reference the local username database. Since you've not set a password for the VTY lines (using the `password <password>` command), users won't be able to access the device via Telnet, as it will ask for a password that is not set.

    The `login local` command, on the other hand, would require a valid username/password pair from the local username database.
    If you want to use the local username and password, you would need to use `login local`. If you want to use Telnet with just a password and not a username, you can set a password on the VTY lines like so:

    line vty 0 4
    password cisco
    login
    transport input telnet

    But please remember, Telnet is not secure as it sends all data, including passwords, in clear text. It's recommended to use SSH instead.

    What happens if I do this?

    line vty 0 4
    login
    transport input ssh

    There is no password but ssh is allowed. I believe that ssh requires both username and password. Am I right to say this?
    GPT-4 sez:

    Yes, you're correct.

    SSH does indeed require a username and password. However, in your configuration, you've enabled SSH but have not provided a password for the VTY lines, nor have you provided a local user database using the `username <username> password <password>` command.
    The `login` command on its own will attempt to use line passwords, but since you didn't specify a password with the `password` command under `line vty 0 4`, SSH connections will fail because there's no password set.
    If you want to use SSH, you should create a local user database and specify `login local` under the VTY lines. You should also create a domain name and generate cryptographic keys, which are required for SSH. Here's an example:

    ip domain-name yourdomain.com
    crypto key generate rsa
    !
    username admin password cisco
    !
    line vty 0 4
    login local
    transport input ssh


    In this example, replace `yourdomain.com` with your domain name, `admin` with your desired username, and `cisco` with your desired password. Note that it's important to choose a strong, unique password.
    When you generate RSA keys with `crypto key generate rsa`, you'll be prompted to enter a modulus length. A longer length is more secure, but it requires more processing power. A common choice is 2048 bits.
    With this configuration, users will be able to SSH into the device using the username "admin" and the password "cisco".

    Hi,
    Thank you for your replies.
    So are you saying that the command below will work? As in ssh using password only?

    line vty 0 4
    login
    Password cisco
    transport input ssh

    Also another question, if I configure
    Enable password cisco
    Username user password 15 cisco1

    Line vty 0 4
    Login 
    Transport input telnet
    Line vty 5 14
    Login local 
    Transport input ssh
    Line vty 15
    Login
    Transport input ssh

    Can the user "choose" to login via telnet or ssh? If he choose to login via ssh, can he choose to use password cisco only?
  • Options
    foreverlearningforeverlearning Member Posts: 42 ■■■□□□□□□□
    JDMurray said:
    What happens if I do this?

    username admin password cisco
    !
    line vty 0 4
    login 
    transport input telnet

    I specify username and password but telnet only requires password.
    GPT-4 sez:

    In your configuration, you've set up a local username and password (`username admin password cisco`), but in your VTY lines configuration, you've only specified `login` and not `login local`.
    The `login` command without `local` only requires a line password for access and doesn't reference the local username database. Since you've not set a password for the VTY lines (using the `password <password>` command), users won't be able to access the device via Telnet, as it will ask for a password that is not set.

    The `login local` command, on the other hand, would require a valid username/password pair from the local username database.
    If you want to use the local username and password, you would need to use `login local`. If you want to use Telnet with just a password and not a username, you can set a password on the VTY lines like so:

    line vty 0 4
    password cisco
    login
    transport input telnet

    But please remember, Telnet is not secure as it sends all data, including passwords, in clear text. It's recommended to use SSH instead.

    What happens if I do this?

    line vty 0 4
    login
    transport input ssh

    There is no password but ssh is allowed. I believe that ssh requires both username and password. Am I right to say this?
    GPT-4 sez:

    Yes, you're correct.

    SSH does indeed require a username and password. However, in your configuration, you've enabled SSH but have not provided a password for the VTY lines, nor have you provided a local user database using the `username <username> password <password>` command.
    The `login` command on its own will attempt to use line passwords, but since you didn't specify a password with the `password` command under `line vty 0 4`, SSH connections will fail because there's no password set.
    If you want to use SSH, you should create a local user database and specify `login local` under the VTY lines. You should also create a domain name and generate cryptographic keys, which are required for SSH. Here's an example:

    ip domain-name yourdomain.com
    crypto key generate rsa
    !
    username admin password cisco
    !
    line vty 0 4
    login local
    transport input ssh


    In this example, replace `yourdomain.com` with your domain name, `admin` with your desired username, and `cisco` with your desired password. Note that it's important to choose a strong, unique password.
    When you generate RSA keys with `crypto key generate rsa`, you'll be prompted to enter a modulus length. A longer length is more secure, but it requires more processing power. A common choice is 2048 bits.
    With this configuration, users will be able to SSH into the device using the username "admin" and the password "cisco".

    Hi,
    Thank you for your replies.
    So are you saying that the command below will work? As in ssh using password only?

    line vty 0 4
    login
    Password cisco
    transport input ssh

    Also another question, if I configure
    Enable password cisco
    Username user password 15 cisco1

    Line vty 0 4
    Login 
    Transport input telnet
    Line vty 5 14
    Login local 
    Transport input ssh
    Line vty 15
    Login
    Transport input ssh

    Can the user "choose" to login via telnet or ssh? If he choose to login via ssh, can he choose to use password cisco only?
Sign In or Register to comment.