Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Routing & Switching (CCNA) > Discussions

_Communities

15845 Views 14 Replies Latest reply: Jul 12, 2010 6:32 PM by Paul Stewart - CCIE Security RSS

Currently Being Moderated

SSH and Telnet ( vty mode)

Jul 12, 2010 11:17 AM

Jag 30 posts since
Jul 9, 2010

Hi Guys,

 

What is the default settings on routers and switches for telnet and SSH sessions?

 

I think it is Transport input telnet; can anyone please confirm?

 

Also, if the show running-config command displays output.

 

" login local

exit

username john password cisco

 

crpto key generate rsa "

 

The SHH session will be rejected to the router because there is no enable password configured for the enable mode. Also, there is no transport input session command configured and no ip domain-name command configured. Please verify it.

 

If the show running-config does not show anything about ' transport input ' command in the output; it means the router using the default settings i.e. transport input telnet. Can anyone please verify it?

 

Regards,

 

Jag

  • Conwyn 9,667 posts since
    Sep 10, 2008
    Currently Being Moderated
    1. Jul 12, 2010 11:29 AM (in response to Jag)
    Re: SSH and Telnet ( vty mode)

    Hi Jag

     

    If you use the search facility on CLN you will find many postings that will help you especially about a domain name not being required.

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Lord Lizarazo 97 posts since
    Mar 25, 2009
    Currently Being Moderated
    2. Jul 12, 2010 11:38 AM (in response to Jag)
    Re: SSH and Telnet ( vty mode)

    telnet is the default as long as you come in and tell vty login

    you can use "SSH"
    using the following configuration

    hostname "NAME"
    ip domain-name "domain name"
    crypto key generate rsa
    512
    username "name" privilege 15 secret "Paswword"

    line vty 0
    transport input ssh
    local login

    Join this discussion now: Login / Register
  • Conwyn 9,667 posts since
    Sep 10, 2008
    Currently Being Moderated
    3. Jul 12, 2010 11:48 AM (in response to Lord Lizarazo)
    Re: SSH and Telnet ( vty mode)

    Hi Lord

     

    Without domain name see https://learningnetwork.cisco.com/message/20007#20007

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Conwyn 9,667 posts since
    Sep 10, 2008
    Currently Being Moderated
    5. Jul 12, 2010 12:30 PM (in response to Jag)
    Re: SSH and Telnet ( vty mode)

    Hi Jag

     

    Just look at the example I posted.

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    6. Jul 12, 2010 1:27 PM (in response to Jag)
    Re: SSH and Telnet ( vty mode)

    Regarding your first question, the default is a bit strange on the transport input methods.  My router actually shows nothing configured, but if I do a "show line vty x | inc input", it shows the following input methods permitted.

     

    Allowed input transports are pad telnet rlogin lapb-ta mop v120 ssh.

     

    Now if I add the following,

     

    line vty 0 4

    transport input pad telnet rlogin lapb-ta mop v120 ssh

     

    It actually shows in the configuration.  So while I think the default input methods are pad, telnet, rlogin, lapb-ta, mop, v120 and ssh, I find it odd that they only are listed in a running configuration after they have been entered.

     

    Regarding question issue with ssh.  You should make sure you have a hostname and a domain-name.  Then you need to generate a key using the "crypto key generate rsa" global config command.  Then a "show ip ssh" should show the SSH is enabled.  It is important that SSH shows enabled.  Then as you mentioned, you need a username and password configured, and the login local to use the local database (or you can use AAA).  I don't think the absence of an enable secret would prevent you from SSH'ing to a router, but it might prevent you from going into privilege exec mode.

    Join this discussion now: Login / Register
  • Conwyn 9,667 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: SSH and Telnet ( vty mode)

    Hi Paul

     

    You do not need a host name or domain name.

     

    Regards Conwyn

     

    no ip ssh version is 1 & 2

     

     

    username conwyn privilege 15 password cisco

    crypto key generate rsa usage-keys label myrsakey modulus 768

    ip ssh authentication-retries 5

    ip ssh rsa keypair-name myrsakey

    line vty 0 4

    login local (no need for aaa new-model)

    transport input ssh

     

     

    SSHClient#ssh -l conwyn 192.168.1.2

     

     

    Password:

    Join this discussion now: Login / Register
  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    8. Jul 12, 2010 1:46 PM (in response to Conwyn)
    Re: SSH and Telnet ( vty mode)

    There may be cases that you do not need a host name and domain name to create a generic key.  However, most Cisco documentation states to configure those items first.  Below is the output of a 2811 running some flavor of 12.4T code.  It would not allow the key to be generated without first configuring the host and domain names.

     

    Router(config)#crypto key generate rsa general-keys modulus 768
    % Please define a hostname other than Router.
    Router(config)#crypto key generate rsa
    % Please define a hostname other than Router.
    Router(config)#hos
    Router(config)#hostname ISR
    lexnetISR(config)#crypto key generate rsa general-keys modulus 768
    % Please define a domain-name first.
    ISR(config)#ip domain name net.com
    ISR(config)#exit
    ISR(config)#crypto key generate rsa general-keys modulus 768
    The name for the keys will be: ISR.net.com

     

    % The key modulus size is 768 bits
    % Generating 768 bit RSA keys, keys will be non-exportable...[OK]

    Join this discussion now: Login / Register
  • Conwyn 9,667 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: SSH and Telnet ( vty mode)

    Hi Paul

     

    Do you want to try it with usage key like my example. It is off the ARSFE course. You are using general keys

     

    Regards Conwyn

    Join this discussion now: Login / Register
  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    12. Jul 12, 2010 6:28 PM (in response to Jag)
    Re: SSH and Telnet ( vty mode)

    I don't think I would get too worked up over that level of detail.  Technically, the two routers I have been in today have all input methods supported by default except "udptn".  So its not really "transport input all", but almost.

     

    Router(config)#do show line vty 4 | inc input
    Allowed input transports are pad telnet rlogin lapb-ta mop v120 ssh.

     

    Router(config)#line vty 0 15
    Router(config-line)#trans
    Router(config-line)#transport inp
    Router(config-line)#transport input ?
      all      All protocols
      lapb-ta  LAPB Terminal Adapter
      mop      DEC MOP Remote Console Protocol
      none     No protocols
      pad      X.3 PAD
      rlogin   Unix rlogin protocol
      ssh      TCP/IP SSH protocol
      telnet   TCP/IP Telnet protocol
      udptn    UDPTN async via UDP protocol
      v120     Async over ISDN

    Join this discussion now: Login / Register
  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    13. Jul 12, 2010 6:32 PM (in response to Conwyn)
    Re: SSH and Telnet ( vty mode)

    Conwyn,

     

    I think you have me on this one, good information.  You can create an RSA keypair without a hostname and domain.  The caveat is that you must use a label.  The keys can be general or usage.  See below.

     

    Router(config)#
    Router(config)#crypto key generate rsa modulus 768
    % Please define a hostname other than Router.
    Router(config)#crypto key generate rsa modulus 768 label test
    The name for the keys will be: test

     

    % The key modulus size is 768 bits
    % Generating 768 bit RSA keys, keys will be non-exportable...[OK]

     

    Router(config)#
    *Jul 11 13:27:51.431: %SSH-5-ENABLED: SSH 1.99 has been enabled
    Router(config)#

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)