SSH Question

First and foremost I am not studying ccna security...

1)
Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
Only enable secret cisco is entered.

2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow

If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.

Why should I configure the ENCRYPTED password and make my life difficult??

Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?

What I have learnt today:
no login - no need password
login - use "line vty 0 4 password cisco" to log in
login local - use username admin password cisco to log on

Find more posts tagged with

Comments

Simrid

1) To create an SSH login, you must have a few things; Domain-name, username+password, login local, transport input ssh and a crypto key. The username and password can be set to whichever you'd like, for example username Simrid password dppagc, however it is recommend you create a secret password which will be in MD5 hash in the running-config. username Simrid secret dppagc. If you would like to change these levels of access, I believe you can use the privilege exec level x command in global config.

2) I believe the this point is if you would like to copy and paste configuration from another device, it enables you to just copy all of the running config and donk it in. I think?

3) You can set the privllage of a user (for security reasons) when you create the user account itself. You should use the privilege level of 1 for user exec mode or 15 to enable them to go into privileged exec mode, heres what the command will look like: username Simrid privilege 15 secret dppagc.

Hondabuff

dppagc wrote: »

First and foremost I am not studying ccna security...

1)
Is it possible to ssh into a switch WITHOUT inputting the username admin password cisco command??
Only enable secret cisco is entered.

2) Secondly I dont understand the line: Specifies an ENCRYPTED secret will follow

If I want to configure 2 switches with the password "cisco", I can key in username admin password cisco directly for the 2 switches.

Why should I configure the ENCRYPTED password and make my life difficult??

Q3) I can enter privileged mode Switch# without a password when I console in. However, if I ssh in, I will need to enter the enable secret password. Can anyone tell me why?

What I have learnt today:
no login - no need password
login - use "line vty 0 4 password cisco" to log in
login local - use username admin password cisco to log on

1) Create local username and password.
2) Create enable Secret.
3) turn on aaa
4) CORP-R1(config)#aaa authentication login default enable

theodoxa

enable secret cisco
ip domain-name contoso.com
hostname R1
crypto key generate rsa modulus 1024
aaa new-model
aaa authentication login LOGIN-SSH enable
line vty 0 4
  login authentication LOGIN-SSH
  transport input ssh

*EDIT: I just noticed you were trying to configure it for the VTY lines rather than the Console.

As for Q2, if you save the configuration and the password is configured to be encrypted, then you can copy and paste the command from your saved configuration. The saved configuration will contain (if service password-encryption is enabled) an encrypted copy of the password, so the console gives you the option of specifying the password in either clear text or encrypted.

alan2308

Simrid wrote: »

2) I believe the this point is if you would like to copy and paste configuration from another device, it enables you to just copy all of the running config and donk it in. I think?

I can't think of any other reason why you would want to enter an encrypted password. It definitely left me wonder for a long time the first time I saw it.

TechGuru80

1. Enable secret is only for enable mode...not to login remotely. I.e. when you get in the CLI and type en.

2. Use 'username x secret y' ... using 'password' is not a good practice. The encryption for the passwords is fairly easy to crack...it is more meant to block shoulder surfing.

3. If you are on a console connection, you have physical access and it is assumed you have access controls to prevent access from intruders. Remote access needs to be protected...best practice.

Again do not use the password command...always use secret.

theodoxa

TechGuru80 wrote: »

1. Enable secret is only for enable mode...not to login remotely. I.e. when you get in the CLI and type en.

You can specify the enable password/secret as an authentication method using AAA method lists.