Catalyst WS-C2950-24 SSH

sendalot

I have set vlan 1 and default gateway.

I updated the IOS to support crypto.

Now I set "transprot input ssh." But my username and password are not working!!

I have put "login local" as well.

Iristheangel

So after issuing the "ssh -l <username> <ip-address>" command, you get a prompt for a password? If so, reset the password at the console and check the privilege level of the username just in case

If you're not getting a prompt for password, check the version of SSH your client is using vs. what's being used on the switch. I'd also check to make sure you have connectivity both L1, L2, and L3. Any access lists on the vty lines? Jump on the switch via console and see if you can SSH/telnet from the switch to the router and then try to make the journey back.

Any of that work for you? If not, copy the config on here and let's take a look

sendalot

puTTy brings up the username and password prompt upon accessing the switch via SSH.

I did "username user password pwd."

At which level do I type "ssh -l username pwd?"

Thanks.

DCD

You didn't mention if you did the domain name and/or the RSA key.

RouteMyPacket

DCD wrote: »

You didn't mention if you did the domain name and/or the RSA key.

He would never make it to the login prompt if he had missed that, sounds like bad password

Iristheangel

Yeah, if you are getting the password prompt, probably is a bad password. Try recreating the username at the console level. If you're locked out of the switch due to this, its pretty easy to reset the password. Do a search for "cisco 2950 password reset" and the Cisco config guide should come right up. Im on an old phone right now or i would link for you

sendalot

But I can use Console Cable to login with the "enable secret" password. Is there a way to change the password?

Thanks.

Iristheangel

The enable secret password and the username/password can be different. You could always issue the show run | inc username to see what the existing password is if you didn't issue the service password-encryption command while configuring your switch. You can easily change the username password. Get back in enable mode, type in conf t and then username <name> password <password> again and just doublecheck for typos this time

sendalot

After that, do I need to mingle with "line vty 0 5" ?
Thanks.

Iristheangel

Well... If you got the prompt for a password when trying to remote in, probably not. Try changing the password first and test it. If that still doesnt work, post the config here because im just going through the likely issues based on what you described but im blind until i see a config

sendalot

Thank you. Beautifully SSH-ing.

Also, do I have to manually disable telnet or is not having login setup for it be enough?

Thanks again.

Iristheangel

If you dont want the switch accepting any telnet connections, go to the vty lines in config mode and enter "transport input ssh"

That will tell the switch to only allow incoming connections from ssh on those vty lines

sendalot

Here is my config.

ip ssh time-out 120
ip ssh authentication-retries 3
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1 priority 0
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface Vlan1
ip address 10.10.10.6 255.255.255.0
no ip route-cache
!
ip default-gateway 10.10.10.1
ip http server
!
line con 0
line vty 0 4
password 7 09424B1E1B5747435F
login local
transport input ssh
line vty 5
password 7 011D03135959565E75
no login
transport input ssh
line vty 6 15
no login
!
!
end



Please take a look and see why telnet is still bypassing.
Thanks.

Iristheangel

Question: Are you running IOS version 12.2(44)SE5 on that 2950? If I recall correctly, there is a bug in that codeset that causes transport input ssh to still allow telnet. Kink of a quirky issue with some old IOS versions but there are two ways to correct it. You can download a different IOS version or add an extended ACL to block port 23.

Also for shitz and giggles, add transport input ssh to line vty 6 15. I would also remove the the line passwords just to clean up your config a little since you're going to be using your local login anyways and don't want telnet going in

sendalot

2950C is going out of support due to its age.
So I downloaded the lastest crypto IOS with my CCO account for free.
I'm sure that's the reason.
Otherwise, Clear! Thanks.

DCD

RouteMyPacket wrote: »

He would never make it to the login prompt if he had missed that, sounds like bad password

You can't confirm he was using the ssh he could have been using telnet and not realize it just like he didn't realize he type wrong password. And he went out of his why way to say he updated the IOS to crypto but missed all the other details of his configuration.

sendalot

The switch is all good now. It doesn't accept telnet connections now. I'm going to double check later.
I did "crypto key" when i first started and have been using puTTY with special attention to port #.

Thanks.