Solved: Unable to ssh to router

dcusher2006 · ‎03-17-2020

Hey all,

I have a router that I have configured ssh on with local aaa authentication enabled. I am prompted to login, but the login is prompting access denied. Curious as to why this was happening I enabled telnet to test as well. Using the same configuration and credentials I am able connect via telnet fine. Only when I try entering the credentials in SSH do I get "access denied". Please see my relevant configuration below.

aaa new-model
!
aaa authentication login default local

!

ip domain name mirion.com

username cisco privilege 15 password cisco

!

ip ssh version 2

!

line vty 0 4
privilege level 15
transport input all
line vty 5 15
privilege level 15
transport input all

================================================================================================

output of sh version

Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(3)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sun 27-Mar-11 09:27 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

Mirion_Router uptime is 30 weeks, 5 days, 1 hour, 16 minutes
System returned to ROM by power-on
System image file is "flash:c3845-adventerprisek9-mz.151-3.T1.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3845 (revision 1.0) with 1008640K/39936K bytes of memory.
Processor board ID FCZ130270P9
2 Gigabit Ethernet interfaces
1 Serial interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO3845-MB FOC124926TY

Configuration register is 0x2102

================================================================================================

Cristian Matei · ‎03-19-2020

Hi,

Per the provided config, if still in place, there are two possible outcomes:

1. The router has a funky SSH bug, to isolate it, ssh to the router itself from a remote telnet session; so connect via telnet and run "ssh -l cisco x.x.x.x", where x.x.x.x is an IP of the router; if it works, all good on the router side, if not, reload and/or upgrade

2. The SSH agent you're using, either has specific cryptographic algorithm requirements which don't match what your Cisco device is using, either it does not meed the minimum requirements from the Cisco output; try using a different ssh client:

Minimum expected Diffie Hellman key size : 1024 bits

Regards,

Cristian Matei.

View solution in original post

LaserNinja · ‎03-17-2020

Did you run the " crypto key generate " command during the ssh setup on the router?

dcusher2006 · ‎03-17-2020

Yes, I have generated the key two separate times to be sure.

crypto key generate rsa general-keys modulus 2048

Cristian Matei · ‎03-17-2020

Hi,

1. Post the output of "show ip ssh" and "show control-plane host open-ports".

2. Do you have any ACL applied inbound on the interface the SSH session is landing on?

Regards,

Cristian Matei.

dcusher2006 · ‎03-17-2020

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClvhVFSfhaEAwEHX8Am0bfZh3ZMDqe88fsLCefSZox
OW8jasCk/SorO7t5tvLZVmDzstK2+cgEh9QvDIfS3QBrj4PfXzYBbDo2JyappZYHJ4jm/0rx9Qfr1fOf
Fvsbeyq+QRvNa2o1sktt8Dovb8mMTH0Y0dvzlp4lJgZMcMJDsEQp9zrLhpU5sCO7pSWKZtd6MVZhnRlH
CSAIJ4HpuC2T+34aStG3ooaSZbPLlZ+yJpz2l5CIJ8pBgw+5LusWSILcei4TEafdTWqeDahfeuaJWRpd
R9mxMQ/RN0kbbOHcMYlq2c7+7V/q/aDSGTzh2swOzUf2H7/TRAQErWvXaYAD

================================================================================================

Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:23 24.99.211.51:61973 Telnet ESTABLIS
udp *:55990 *:0 IP SNMP LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:1975 *:0 IPC LISTEN

No, I have no ACL applied inbound on the interface the SSH session is landing on, and telnet authenticates perfectly fine.

Thanks,

Daniel Usher

Cristian Matei · ‎03-19-2020

Hi,

Per the provided config, if still in place, there are two possible outcomes:

1. The router has a funky SSH bug, to isolate it, ssh to the router itself from a remote telnet session; so connect via telnet and run "ssh -l cisco x.x.x.x", where x.x.x.x is an IP of the router; if it works, all good on the router side, if not, reload and/or upgrade

2. The SSH agent you're using, either has specific cryptographic algorithm requirements which don't match what your Cisco device is using, either it does not meed the minimum requirements from the Cisco output; try using a different ssh client:

Minimum expected Diffie Hellman key size : 1024 bits

Regards,

Cristian Matei.

dcusher2006 · ‎03-19-2020

Logging into the router via SSH from the telnet session seems to have solved the issue. No reload was required. Thank you for the help and information.

cristiantrejo77 · ‎03-17-2020

Hello.

Did you set a hostname to the router?

Based on: https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

There are four steps required to enable SSH support on a Cisco IOS router:

Configure the hostname command.
Configure the DNS domain.
Generate the SSH key to be used.
Enable SSH transport support for the virtual type terminal (vtys).

Richard Burts · ‎03-19-2020

This is a good reminder of the required steps for enabling SSH. From the output in a previous post we have this

SSH Enabled - version 2.0

and this provides verification that the steps must have been successfully completed because SSH is enabled.

I am wondering a bit about the possibilities that perhaps the issue might be version of SSH - the Cisco will accept only SSH version 2, so is it possible that the client is attempting to negotiate version 1? Perhaps running debug for SSH might shed some light on that.

But then I am thinking that it seems that there is a prompt for user credentials and I dont think that would happen if the issue were SSH version mismatch. So I am thinking that perhaps there is some issue with authentication. So perhaps debug for aaa authentication might shed some light.

HTH

Rick