Hi all,

I have a weird issue on a 7206VXR router. The SSH has been configured with "aaa new-model" and "authentication login default login". line vty 0 4 accepts both telnet and SSH. Now I can login via telnet, but can't via SSH with same crendential. Here are some details:

Firmware: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

Hardware: Cisco 7206VXR (NPE-G1) processor (revision A)

AAA configuration with default local:

#sh run | in aaa  

aaa new-model

aaa authentication login default local

aaa session-id common

Local users:

#sh run | in username

username admin privilege 15 secret 5 $1$RBI6$2ieZFjQiec5lSbb7ac98k0

VTY enables both telnet and ssh with default login auth (login authentication default):

#sh run | sec line vty

line vty 0 4

session-timeout 10

logging synchronous

transport input telnet ssh

Telnet works without issues:

$ telnet xxx.xxx.xxx.xxx

Trying xxx.xxx.xxx.xxx..

Connected to xxx.xxx.xxx.xxx.

Escape character is '^]'.

User Access Verification

Username: admin

Password:

G1>en

Password:

G1#

Issues with SSH login:

$ ssh xxx.xxx.xxx.xxx -ladmin

admin@xxx.xxx.xxx.xxx's password:

Permission denied, please try again.

admin@xxx.xxx.xxx.xxx's password:

Info proves RSA has been generated and SSH server is running properly:

#show ssh

Connection Version Mode Encryption  Hmac           State                         Username

1          2.0     IN   aes128-cbc  hmac-md5     Keys exchanged        admin

1          2.0     OUT  aes128-cbc  hmac-md5     Keys exchanged        admin

%No SSHv1 server connections running.

Logging from debug ip ssh:

*Jun 28 17:38:22.571: SSH2: protocol version id is - SSH-2.0-OpenSSH_6.2

*Jun 28 17:38:22.575: SSH2 2: SSH2_MSG_KEXINIT sent

*Jun 28 17:38:22.587: SSH2 2: SSH2_MSG_KEXINIT received

*Jun 28 17:38:22.587: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5

*Jun 28 17:38:22.587: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5

*Jun 28 17:38:22.807: SSH2 2: SSH2_MSG_KEX_DH_GEX_REQUEST received

*Jun 28 17:38:22.807: SSH2 2: Range sent by client is - 1024 < 1024 < 8192

*Jun 28 17:38:22.807: SSH2 2:  Modulus size established : 1024 bits

*Jun 28 17:38:22.815: SSH2 2: expecting SSH2_MSG_KEX_DH_GEX_INIT

*Jun 28 17:38:22.831: SSH2 2: SSH2_MSG_KEXDH_INIT received

*Jun 28 17:38:22.883: SSH2: kex_derive_keys complete

*Jun 28 17:38:22.883: SSH2 2: SSH2_MSG_NEWKEYS sent

*Jun 28 17:38:22.883: SSH2 2: waiting for SSH2_MSG_NEWKEYS

*Jun 28 17:38:22.907: SSH2 2: SSH2_MSG_NEWKEYS received

*Jun 28 17:38:23.555: SSH2: password authentication failed for admin

*Jun 28 17:38:26.515: SSH2: password authentication failed for admin

It's also interesting that it shows invalid userid if I login with SSH version 1 since I didn't limit SSH version here:

$ ssh xxx.xxx.xxx.xxx -ladmin -1

admin@xxx.xxx.xxx.xxx's password:

Permission denied, please try again.

admin@xxx.xxx.xxx.xxx's password:

Logging:

*Jun 28 17:40:11.335: SSH1: protocol version id is - SSH-1.5-OpenSSH_6.2

*Jun 28 17:40:11.335: SSH1: SSH_SMSG_PUBLIC_KEY msg

*Jun 28 17:40:11.363: SSH1: SSH_CMSG_SESSION_KEY msg - length 144, type 0x03

*Jun 28 17:40:11.363: SSH: RSA decrypt started

*Jun 28 17:40:11.391: SSH: RSA decrypt finished

*Jun 28 17:40:11.391: SSH: RSA decrypt started

*Jun 28 17:40:11.403: SSH: RSA decrypt finished

*Jun 28 17:40:11.407: SSH1: sending encryption confirmation

*Jun 28 17:40:11.407: SSH1: keys exchanged and encryption on

*Jun 28 17:40:11.435: SSH1: SSH_CMSG_USER message received

*Jun 28 17:40:11.435: SSH1: authentication request for userid admin

*Jun 28 17:40:11.435: SSH1: invalid userid admin

*Jun 28 17:40:11.435: SSH1: SSH_SMSG_FAILURE message sent

*Jun 28 17:40:17.651: SSH1: SSH_SMSG_FAILURE message sent

*Jun 28 17:40:18.135: SSH1: authentication failed for admin (code=7)

I'll be appreciated for any help. Thanks.