Cisco Ssh Enable Error In Authentication
Contents |
for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Ask a Question Ask for Help Receive cisco ssh key authentication Real-Time Help Create a Freelance Project Hire for a Full Time
Cisco Ssh Public Key Authentication
Job Ways to Get Help Expand Search Submit Close Search Login Join Today Products BackProducts Gigs Live cisco switch enable error in authentication Careers Vendor Services Groups Website Testing Store Headlines Experts Exchange > Questions > Cisco router - % Error in authentication. message Want to Advertise Here? Solved Cisco
Enable Ssh Cisco 3750
router - % Error in authentication. message Posted on 2008-02-29 Routers 1 Verified Solution 6 Comments 12,512 Views Last Modified: 2010-04-21 I have a new Cisco 2811 router. I can telnet to the route successfully. However, when I try to issue the enable command, I get the following: ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< Username:
Information The requested topic does not exist.
Tour Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the http://networkengineering.stackexchange.com/questions/16005/do-i-need-to-set-the-enable-secret-on-cisco-device company Business Learn more about hiring developers or posting ads with us Network Engineering Questions http://www.thetechfirm.com/networking/cisco_ssh/ Tags Users Badges Unanswered Ask Question _ Network Engineering Stack Exchange is a question and answer site for network engineers. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Do I need to set the enable error in secret on Cisco device? up vote 14 down vote favorite 2 I'm setting up a Cisco 2901 router. I have a login password on the console line, and the vty lines are configured to only accept ssh connections with public key authentication. The auxiliary line is shut down. There are only two admins who will be accessing the router and we are both authorized to perform any configuration on the router. I'm not error in authentication an expert on Cisco gear, but I consider this adequate to secure access to the router configuration. However, every single guide I've read states I should set an enable secret, regardless of any other user or line passwords. Is there something more to the enable password that I'm not aware off? Is there any other way to access the router than then console, auxiliary, or vty lines? EDIT: I've added the actual configuration below to be more clear about my situation. The following works, with requiring an enable password, or a username config aside from the one within ip ssh pubkey-chain. aaa new-model ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 ip ssh pubkey-chain username tech key-hash ssh-rsa [HASH] ip scp server enable line vty 0 4 transport input ssh cisco security share|improve this question edited Jan 8 '15 at 12:30 asked Jan 7 '15 at 14:41 Marwan 7316 1 short answer: not required, but very highly recommended -- as it's the first line of defense for full privs –Ricky Beam Jan 8 '15 at 2:51 But if I have passwords on the console line and vtys, why would I need another password? Also, the enable secret will have to be shared between admin staff, which is just asking for it
like using Wireshark an Open Source Protocol Analyzer when we use the Follow TCP Stream feature in Wireshark. The next characters are red (the character I typed) and blue (the characters echoed back) You clearly see the User Verification Prompt. Here's the telnet trace file. Below you can see me typing in my username; In this screenshot below you can see me entering the command enable and the the enable password. How to Enable SSH Version 1 on Cisco Before you can enable SSH you need to assign individual (or group) user IDs and passwords. These are just login id's and are required regardless if you use Telnet or SSH. To enable locally administered user IDs, use the following set of configuration commands. I would not suggest using the nopassword parameter. Put your own data in the italized text. foghorn#configure terminal Enter configuration commands, one per line. End with CNTL/Z. foghorn(config)#username fortunato password secret foghorn(config)#aaa new-model foghorn(config)#aaa authentication login local_auth local foghorn(config)#line vty 0 4 foghorn(config-line)#login authentication local_auth foghorn(config-line)#exit foghorn(config)#end foghorn# Nowwhen you telnet into the device you should see the Username prompt User Access Verification Username: fortunato Password: foghorn> Now that you have login id's created you can turn on SSH version 1. To enable SSH, use the following set of configuration commands. I would not suggest using the nopassword parameter. Put your own data in the italized text. foghorn#configure terminal Enter configuration commands, one per line. End with CNTL/Z. foghorn(config)#crypto key generate rsa % Please define a domain-name first. ! common mistake when you do not the IP domain-name created foghorn(config)#ip domain-name thetechfirm.com foghorn(config)#crypto key generate rsa The name for the keys will be: foghorn.thetechfirm.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys ...[OK] foghorn(config)#ip ssh time-out 120 foghorn(config)#ip ssh authentication-retries 5 foghorn(config)#end Now we'll try to capture the SSH login and as you can see the login data is no longer in clear text. Here's the SSH 1 trace file. The moral of the story is not to use Cleartext logins if the device or application is sensitive.