cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1552
Views
0
Helpful
2
Replies
Highlighted
Beginner

SSH doesn't take my local user

Hi all,

I have a weird issue on a 7206VXR router. The SSH has been configured with "aaa new-model" and "authentication login default login". line vty 0 4 accepts both telnet and SSH. Now I can login via telnet, but can't via SSH with same crendential. Here are some details:

Firmware: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

Hardware: Cisco 7206VXR (NPE-G1) processor (revision A)

AAA configuration with default local:

#sh run | in aaa  

aaa new-model

aaa authentication login default local

aaa session-id common

Local users:

#sh run | in username

username admin privilege 15 secret 5 $1$RBI6$2ieZFjQiec5lSbb7ac98k0

VTY enables both telnet and ssh with default login auth (login authentication default):

#sh run | sec line vty

line vty 0 4

session-timeout 10

logging synchronous

transport input telnet ssh

Telnet works without issues:

$ telnet xxx.xxx.xxx.xxx

Trying xxx.xxx.xxx.xxx..

Connected to xxx.xxx.xxx.xxx.

Escape character is '^]'.

User Access Verification

Username: admin

Password:

G1>en

Password:

G1#

Issues with SSH login:

$ ssh xxx.xxx.xxx.xxx -ladmin

admin@xxx.xxx.xxx.xxx's password:

Permission denied, please try again.

admin@xxx.xxx.xxx.xxx's password:

Info proves RSA has been generated and SSH server is running properly:

#show ssh

Connection Version Mode Encryption  Hmac           State                         Username

1          2.0     IN   aes128-cbc  hmac-md5     Keys exchanged        admin

1          2.0     OUT  aes128-cbc  hmac-md5     Keys exchanged        admin

%No SSHv1 server connections running.

Logging from debug ip ssh:

*Jun 28 17:38:22.571: SSH2: protocol version id is - SSH-2.0-OpenSSH_6.2

*Jun 28 17:38:22.575: SSH2 2: SSH2_MSG_KEXINIT sent

*Jun 28 17:38:22.587: SSH2 2: SSH2_MSG_KEXINIT received

*Jun 28 17:38:22.587: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5

*Jun 28 17:38:22.587: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5

*Jun 28 17:38:22.807: SSH2 2: SSH2_MSG_KEX_DH_GEX_REQUEST received

*Jun 28 17:38:22.807: SSH2 2: Range sent by client is - 1024 < 1024 < 8192

*Jun 28 17:38:22.807: SSH2 2:  Modulus size established : 1024 bits

*Jun 28 17:38:22.815: SSH2 2: expecting SSH2_MSG_KEX_DH_GEX_INIT

*Jun 28 17:38:22.831: SSH2 2: SSH2_MSG_KEXDH_INIT received

*Jun 28 17:38:22.883: SSH2: kex_derive_keys complete

*Jun 28 17:38:22.883: SSH2 2: SSH2_MSG_NEWKEYS sent

*Jun 28 17:38:22.883: SSH2 2: waiting for SSH2_MSG_NEWKEYS

*Jun 28 17:38:22.907: SSH2 2: SSH2_MSG_NEWKEYS received

*Jun 28 17:38:23.555: SSH2: password authentication failed for admin

*Jun 28 17:38:26.515: SSH2: password authentication failed for admin

It's also interesting that it shows invalid userid if I login with SSH version 1 since I didn't limit SSH version here:

$ ssh xxx.xxx.xxx.xxx -ladmin -1

admin@xxx.xxx.xxx.xxx's password:

Permission denied, please try again.

admin@xxx.xxx.xxx.xxx's password:

Logging:

*Jun 28 17:40:11.335: SSH1: protocol version id is - SSH-1.5-OpenSSH_6.2

*Jun 28 17:40:11.335: SSH1: SSH_SMSG_PUBLIC_KEY msg

*Jun 28 17:40:11.363: SSH1: SSH_CMSG_SESSION_KEY msg - length 144, type 0x03

*Jun 28 17:40:11.363: SSH: RSA decrypt started

*Jun 28 17:40:11.391: SSH: RSA decrypt finished

*Jun 28 17:40:11.391: SSH: RSA decrypt started

*Jun 28 17:40:11.403: SSH: RSA decrypt finished

*Jun 28 17:40:11.407: SSH1: sending encryption confirmation

*Jun 28 17:40:11.407: SSH1: keys exchanged and encryption on

*Jun 28 17:40:11.435: SSH1: SSH_CMSG_USER message received

*Jun 28 17:40:11.435: SSH1: authentication request for userid admin

*Jun 28 17:40:11.435: SSH1: invalid userid admin

*Jun 28 17:40:11.435: SSH1: SSH_SMSG_FAILURE message sent

*Jun 28 17:40:17.651: SSH1: SSH_SMSG_FAILURE message sent

*Jun 28 17:40:18.135: SSH1: authentication failed for admin (code=7)

I'll be appreciated for any help. Thanks.

Everyone's tags (3)
2 REPLIES 2
Beginner

SSH doesn't take my local user

very interesting. I got the problem solved by a simple restart. Not sure if it's related to low free RAM (under 2MB), but still curious what could cause the issue.

Cisco Employee

SSH doesn't take my local user

Could an issues with memory or exhausted sessions for SSH.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here