09-14-2009 05:33 AM - edited 03-10-2019 04:41 PM
Hi
I have an early Version Tacacs+ - CSACS3.2-WIN-K9
we have upgraded all our cisco devices to ssh 1.5/ ssh 2 however when we renew passwords the tacacs server is not allowing password changes . way around this is to use a telent to a device that currently is not ssh login but this is not a long term solution
Does anyone know how to make tacacs+ allow password changes when we have logged into a device using ssh ?
Thanks !!
09-14-2009 08:30 AM
Password expired notification doesn't work with any version of SSH. However,
password change is supported by SSHv2. SSHv1 doesn't support the necessary
message types to initiate a password change sequence. Only the very latest
versions of IOS code on the routers/switch support SSHv2.
There are couple known bugs filed to address this issue on IOS,
CSCdy54970: Tacacs+ ACS password change with SSH
1st Found-In: 12.2M
Fixed-In:
12.1(22)EA3
12.2(18)SXE
12.2(25)S6
12.2(25)SEA
12.2(25)SEB
12.2(27.7)S
12.3(10.1)T
CSCin91851: Support keyboard-interactive authentication method
Fixed-In:
12.4(10.1)T
12.2(33)SXI
12.4(17.9)M
12.2(32.8.11)SX142
12.2(33.1.10)SXH
12.4(13f)M
12.2(33)SXH2
12.2(32.8.11)XJC153.1
12.2(32.8.1)YCA172.24
12.4(22.3.4)PIC1
Link to check the bug information
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
Regards,
~JG
Do rate helpful posts
09-15-2009 01:04 PM
JG,
You're a funny person, posting CSCdy54970 that can be accessed by internal Cisco Employees.
Some clarifications:
"Password expired notification doesn't work with any version of SSH"
This is FALSE, if I understand correctly. See below:
[root@lab-firemon ~]# ssh -l test 172.20.20.20
Password:
Your password will expire in 1 more logins
c2811>sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 19-Jun-09 15:13 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
c2811 uptime is 3 weeks, 5 days, 3 hours, 36 minutes
System returned to ROM by reload at 17:24:56 UTC Thu Aug 20 2009
System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T1.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2811 (revision 53.51) with 512000K/12288K bytes of memory.
Processor board ID FTX1152A3RZ
2 FastEthernet interfaces
1 Serial interface
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
c2811>
Can you post the content of that bug ID CSCdy54970 report here?
A follow-up question: Do you know if password change via ssh work with s72033-entservicesk9_wan-mz.122-18.SXF14.bin?
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide