06-28-2013 12:04 PM - edited 03-10-2019 12:04 AM
Hi all,
I have a weird issue on a 7206VXR router. The SSH has been configured with "aaa new-model" and "authentication login default login". line vty 0 4 accepts both telnet and SSH. Now I can login via telnet, but can't via SSH with same crendential. Here are some details:
Firmware: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Hardware: Cisco 7206VXR (NPE-G1) processor (revision A)
AAA configuration with default local:
#sh run | in aaa
aaa new-model
aaa authentication login default local
aaa session-id common
Local users:
#sh run | in username
username admin privilege 15 secret 5 $1$RBI6$2ieZFjQiec5lSbb7ac98k0
VTY enables both telnet and ssh with default login auth (login authentication default):
#sh run | sec line vty
line vty 0 4
session-timeout 10
logging synchronous
transport input telnet ssh
Telnet works without issues:
$ telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx..
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
User Access Verification
Username: admin
Password:
G1>en
Password:
G1#
Issues with SSH login:
$ ssh xxx.xxx.xxx.xxx -ladmin
admin@xxx.xxx.xxx.xxx's password:
Permission denied, please try again.
admin@xxx.xxx.xxx.xxx's password:
Info proves RSA has been generated and SSH server is running properly:
#show ssh
Connection Version Mode Encryption Hmac State Username
1 2.0 IN aes128-cbc hmac-md5 Keys exchanged admin
1 2.0 OUT aes128-cbc hmac-md5 Keys exchanged admin
%No SSHv1 server connections running.
Logging from debug ip ssh:
*Jun 28 17:38:22.571: SSH2: protocol version id is - SSH-2.0-OpenSSH_6.2
*Jun 28 17:38:22.575: SSH2 2: SSH2_MSG_KEXINIT sent
*Jun 28 17:38:22.587: SSH2 2: SSH2_MSG_KEXINIT received
*Jun 28 17:38:22.587: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5
*Jun 28 17:38:22.587: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5
*Jun 28 17:38:22.807: SSH2 2: SSH2_MSG_KEX_DH_GEX_REQUEST received
*Jun 28 17:38:22.807: SSH2 2: Range sent by client is - 1024 < 1024 < 8192
*Jun 28 17:38:22.807: SSH2 2: Modulus size established : 1024 bits
*Jun 28 17:38:22.815: SSH2 2: expecting SSH2_MSG_KEX_DH_GEX_INIT
*Jun 28 17:38:22.831: SSH2 2: SSH2_MSG_KEXDH_INIT received
*Jun 28 17:38:22.883: SSH2: kex_derive_keys complete
*Jun 28 17:38:22.883: SSH2 2: SSH2_MSG_NEWKEYS sent
*Jun 28 17:38:22.883: SSH2 2: waiting for SSH2_MSG_NEWKEYS
*Jun 28 17:38:22.907: SSH2 2: SSH2_MSG_NEWKEYS received
*Jun 28 17:38:23.555: SSH2: password authentication failed for admin
*Jun 28 17:38:26.515: SSH2: password authentication failed for admin
It's also interesting that it shows invalid userid if I login with SSH version 1 since I didn't limit SSH version here:
$ ssh xxx.xxx.xxx.xxx -ladmin -1
admin@xxx.xxx.xxx.xxx's password:
Permission denied, please try again.
admin@xxx.xxx.xxx.xxx's password:
Logging:
*Jun 28 17:40:11.335: SSH1: protocol version id is - SSH-1.5-OpenSSH_6.2
*Jun 28 17:40:11.335: SSH1: SSH_SMSG_PUBLIC_KEY msg
*Jun 28 17:40:11.363: SSH1: SSH_CMSG_SESSION_KEY msg - length 144, type 0x03
*Jun 28 17:40:11.363: SSH: RSA decrypt started
*Jun 28 17:40:11.391: SSH: RSA decrypt finished
*Jun 28 17:40:11.391: SSH: RSA decrypt started
*Jun 28 17:40:11.403: SSH: RSA decrypt finished
*Jun 28 17:40:11.407: SSH1: sending encryption confirmation
*Jun 28 17:40:11.407: SSH1: keys exchanged and encryption on
*Jun 28 17:40:11.435: SSH1: SSH_CMSG_USER message received
*Jun 28 17:40:11.435: SSH1: authentication request for userid admin
*Jun 28 17:40:11.435: SSH1: invalid userid admin
*Jun 28 17:40:11.435: SSH1: SSH_SMSG_FAILURE message sent
*Jun 28 17:40:17.651: SSH1: SSH_SMSG_FAILURE message sent
*Jun 28 17:40:18.135: SSH1: authentication failed for admin (code=7)
I'll be appreciated for any help. Thanks.
06-28-2013 04:22 PM
very interesting. I got the problem solved by a simple restart. Not sure if it's related to low free RAM (under 2MB), but still curious what could cause the issue.
07-08-2013 03:45 AM
Could an issues with memory or exhausted sessions for SSH.
~BR
Jatin Katyal
**Do rate helpful posts**
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: