remote connection using SSH

aueddonline

ok so I want to set up an SSH connection to a cisco router via a laptop i've configured the router
with

config t
username (name) password md5 (password)
ip domain name monkey
line vty 0 2
exec-timeout 100 0
password 7 03095E190A0035141A
login
transport input telnet
line vty 3 4
exec-timeout 100 0
password 7 03095E190A0035141A
login
transport input ssh

When I try to connet from the laptop using putty it takes me to 'login as' and then 'password' and I use the username and password I have configured but it's saying 'Access denied:'

kryolla

try login local

dtlokee

try "username bob secret cisco" the way you've entered it it would think the password is "md5 password". Also to enable SSH you need to create your RSA key pairs.

EdTheLad

You have ssh configured on vty lines 3 and 4, are you sure when you ssh you are using lines 3 and 4? rather than lines 0,1 and 2.

aueddonline

dtlokee wrote:

try "username bob secret cisco" the way you've entered it it would think the password is "md5 password". Also to enable SSH you need to create your RSA key pairs.

yeah i did actually do this using the crypto key generate rsa' command

should of mentioned that

aueddonline

jst tried

username bob secret cisco

same thing happened when login in

Ahriakin

As suggested earlier try adding "login authentication local" to your Line VTY details. Also depending on the router/image you may have to configure an access-list/apply it as a class to the line before it allows access. I configured my first ISR yesterday, a 2821 running 12.4(13r)T Security Image and neither the SDM or SSH would work until I explicitly defined allowed hosts via an ACL and applied it as a class to the HTTP and Line services. Before this I've only worked on older standard image (~12.2) 3640's and 2620's and they did not need this. Here's an example from that config:

username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
aaa new-model
line vty 0 4
access-class lineaccess in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxx
login authentication local
transport input ssh
line vty 5 15
access-class lineaccess in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxx
login authentication local
transport input ssh

The ACL "lineaccess" is just a simple standard permit access list.

aueddonline

thanks for posting Ahriakin, I configured 'login local' it was on my IOS and it's working now using the username secret creds suggested earlier, thanks a lot guys

line con 0
password 7 11041C171B1D1F5450
login
line aux 0
line vty 0 2
exec-timeout 100 0
password 7 03095E190A0035141A
login
transport input telnet
line vty 3 4
exec-timeout 100 0
password 7 03095E190A0035141A
login local
transport input ssh

joshgibson82

Ahriakin wrote:

As suggested earlier try adding "login authentication local" to your Line VTY details. Also depending on the router/image you may have to configure an access-list/apply it as a class to the line before it allows access. I configured my first ISR yesterday, a 2821 running 12.4(13r)T Security Image and neither the SDM or SSH would work until I explicitly defined allowed hosts via an ACL and applied it as a class to the HTTP and Line services. Before this I've only worked on older standard image (~12.2) 3640's and 2620's and they did not need this. Here's an example from that config:

username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
aaa new-model
line vty 0 4
access-class lineaccess in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxx
login authentication local
transport input ssh
line vty 5 15
access-class lineaccess in
privilege level 15
password 7 xxxxxxxxxxxxxxxxxx
login authentication local
transport input ssh

The ACL "lineaccess" is just a simple standard permit access list.

You should not have to create an access list in 12.4 on a 2821 router. I've configured dozens of these for ssh access and https, and did not have to do that.

kryolla

Glad it is working now. The local command is to use the local database you created by username password command.