14 Replies Latest reply: Jul 12, 2010 6:32 PM by Paul Stewart - CCIE Security RSS

    SSH and Telnet ( vty mode)

    Jag

      Hi Guys,

       

      What is the default settings on routers and switches for telnet and SSH sessions?

       

      I think it is Transport input telnet; can anyone please confirm?

       

      Also, if the show running-config command displays output.

       

      " login local

      exit

      username john password cisco

       

      crpto key generate rsa "

       

      The SHH session will be rejected to the router because there is no enable password configured for the enable mode. Also, there is no transport input session command configured and no ip domain-name command configured. Please verify it.

       

      If the show running-config does not show anything about ' transport input ' command in the output; it means the router using the default settings i.e. transport input telnet. Can anyone please verify it?

       

      Regards,

       

      Jag

        • 1. Re: SSH and Telnet ( vty mode)
          Conwyn

          Hi Jag

           

          If you use the search facility on CLN you will find many postings that will help you especially about a domain name not being required.

           

          Regards Conwyn

          • 2. Re: SSH and Telnet ( vty mode)
            Lord Lizarazo

            telnet is the default as long as you come in and tell vty login

            you can use "SSH"
            using the following configuration

            hostname "NAME"
            ip domain-name "domain name"
            crypto key generate rsa
            512
            username "name" privilege 15 secret "Paswword"

            line vty 0
            transport input ssh
            local login

            • 3. Re: SSH and Telnet ( vty mode)
              Conwyn

              Hi Lord

               

              Without domain name see https://learningnetwork.cisco.com/message/20007#20007

               

              Regards Conwyn

              • 4. Re: SSH and Telnet ( vty mode)
                Jag

                Hi,

                 

                I'm confused now, some posts here says " telnet input all " is the default for vty mode and some says ' telnet input transport ' is default. Even the wendell odom ICND1 says default is 'transport input telnet' at one place and says default is 'transport input' all at another place. Which one is true? 

                 

                Also, is there login local  and ip domain-name commands  need to be configured for SSH or not?

                 

                Please clear my doubts on this topic.

                 

                Regards,

                 

                Jag

                • 5. Re: SSH and Telnet ( vty mode)
                  Conwyn

                  Hi Jag

                   

                  Just look at the example I posted.

                   

                  Regards Conwyn

                  • 6. Re: SSH and Telnet ( vty mode)
                    Paul Stewart  -  CCIE Security

                    Regarding your first question, the default is a bit strange on the transport input methods.  My router actually shows nothing configured, but if I do a "show line vty x | inc input", it shows the following input methods permitted.

                     

                    Allowed input transports are pad telnet rlogin lapb-ta mop v120 ssh.

                     

                    Now if I add the following,

                     

                    line vty 0 4

                    transport input pad telnet rlogin lapb-ta mop v120 ssh

                     

                    It actually shows in the configuration.  So while I think the default input methods are pad, telnet, rlogin, lapb-ta, mop, v120 and ssh, I find it odd that they only are listed in a running configuration after they have been entered.

                     

                    Regarding question issue with ssh.  You should make sure you have a hostname and a domain-name.  Then you need to generate a key using the "crypto key generate rsa" global config command.  Then a "show ip ssh" should show the SSH is enabled.  It is important that SSH shows enabled.  Then as you mentioned, you need a username and password configured, and the login local to use the local database (or you can use AAA).  I don't think the absence of an enable secret would prevent you from SSH'ing to a router, but it might prevent you from going into privilege exec mode.

                    • 7. Re: SSH and Telnet ( vty mode)
                      Conwyn

                      Hi Paul

                       

                      You do not need a host name or domain name.

                       

                      Regards Conwyn

                       

                      no ip ssh version is 1 & 2

                       

                       

                      username conwyn privilege 15 password cisco

                      crypto key generate rsa usage-keys label myrsakey modulus 768

                      ip ssh authentication-retries 5

                      ip ssh rsa keypair-name myrsakey

                      line vty 0 4

                      login local (no need for aaa new-model)

                      transport input ssh

                       

                       

                      SSHClient#ssh -l conwyn 192.168.1.2

                       

                       

                      Password:

                      • 8. Re: SSH and Telnet ( vty mode)
                        Paul Stewart  -  CCIE Security

                        There may be cases that you do not need a host name and domain name to create a generic key.  However, most Cisco documentation states to configure those items first.  Below is the output of a 2811 running some flavor of 12.4T code.  It would not allow the key to be generated without first configuring the host and domain names.

                         

                        Router(config)#crypto key generate rsa general-keys modulus 768
                        % Please define a hostname other than Router.
                        Router(config)#crypto key generate rsa
                        % Please define a hostname other than Router.
                        Router(config)#hos
                        Router(config)#hostname ISR
                        lexnetISR(config)#crypto key generate rsa general-keys modulus 768
                        % Please define a domain-name first.
                        ISR(config)#ip domain name net.com
                        ISR(config)#exit
                        ISR(config)#crypto key generate rsa general-keys modulus 768
                        The name for the keys will be: ISR.net.com

                         

                        % The key modulus size is 768 bits
                        % Generating 768 bit RSA keys, keys will be non-exportable...[OK]

                        • 9. Re: SSH and Telnet ( vty mode)
                          Jag

                          Please look under the transport input command on the below document:

                           

                          http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219

                           

                          It says default is Transport input all. Here is an excerpt from the original document:

                           

                          Defaults

                          No protocols are allowed on the console, tty, and AUX lines. Default is transport input none.
                          All protocols are allowed on virtual terminal lines (vtys). Default is transport input all.

                          • 10. Re: SSH and Telnet ( vty mode)
                            Conwyn

                            Hi Paul

                             

                            Do you want to try it with usage key like my example. It is off the ARSFE course. You are using general keys

                             

                            Regards Conwyn

                            • 11. Re: SSH and Telnet ( vty mode)
                              Jag

                              Hi Paul, Hi Conwyn,

                               

                              Thanks guys for your support. I'm preparing for the ICND1 exam and i think i don't need to know much details about SSH at this point. I just want to make sure ( for exam purposes ) if the default on vty mode is ' Transport input telnet' or  is it 'Transport input all'.

                               

                              Odom book is creating all kind of confusion with default as Transport input telnet on page 240 and default as Transport input telnet ssh on page 263.

                               

                              Thanks,

                               

                              Jag

                              • 12. Re: SSH and Telnet ( vty mode)
                                Paul Stewart  -  CCIE Security

                                I don't think I would get too worked up over that level of detail.  Technically, the two routers I have been in today have all input methods supported by default except "udptn".  So its not really "transport input all", but almost.

                                 

                                Router(config)#do show line vty 4 | inc input
                                Allowed input transports are pad telnet rlogin lapb-ta mop v120 ssh.

                                 

                                Router(config)#line vty 0 15
                                Router(config-line)#trans
                                Router(config-line)#transport inp
                                Router(config-line)#transport input ?
                                  all      All protocols
                                  lapb-ta  LAPB Terminal Adapter
                                  mop      DEC MOP Remote Console Protocol
                                  none     No protocols
                                  pad      X.3 PAD
                                  rlogin   Unix rlogin protocol
                                  ssh      TCP/IP SSH protocol
                                  telnet   TCP/IP Telnet protocol
                                  udptn    UDPTN async via UDP protocol
                                  v120     Async over ISDN

                                • 13. Re: SSH and Telnet ( vty mode)
                                  Paul Stewart  -  CCIE Security

                                  Conwyn,

                                   

                                  I think you have me on this one, good information.  You can create an RSA keypair without a hostname and domain.  The caveat is that you must use a label.  The keys can be general or usage.  See below.

                                   

                                  Router(config)#
                                  Router(config)#crypto key generate rsa modulus 768
                                  % Please define a hostname other than Router.
                                  Router(config)#crypto key generate rsa modulus 768 label test
                                  The name for the keys will be: test

                                   

                                  % The key modulus size is 768 bits
                                  % Generating 768 bit RSA keys, keys will be non-exportable...[OK]

                                   

                                  Router(config)#
                                  *Jul 11 13:27:51.431: %SSH-5-ENABLED: SSH 1.99 has been enabled
                                  Router(config)#

                                  • 14. Re: SSH and Telnet ( vty mode)
                                    Jag

                                    Thanks Paul.