SG300 on 1.1 Firmware has Double-Login On SSH

John Bullen · ‎01-05-2012

We just upgraded our Sg300 series switches to the new IOS so we can get CLI access. The upgrade went fine but it seems we have two login prompts, the first being completely unnecessary as you can just hit return to get by it. IE here is the progression:

1. Connect SSH

2. Receive a "login:" prompt. Anything can be entered here, including just return

3. Login banner is displayed

4. Username Prompt is then displayed. Valid username required

5. Password Prompt displayed - Valid password required

6. Now at CLI 1. Connect SSH

I am trying to get rid of that first login prompt (IE Step 2) as it is causing issues with our configuration software. I have tried every line and authentication command I can think of, the only thing that gets rid of it is using none authentication which obviously we can't stay with. Anyone else have this issue and how did you get around it?

David Hornstein · ‎01-14-2012

Hi

Yep seen the same thing, as captured below in red and it doesn't look correct.

I opened up two SSH sessions login=test1 login=test2 which can be seen in the screen capture below in red.

It's neat that I can differentiate these sessions, but it still looks weird.

I have open a case (SR# 620357317) with the wonderful folk at Small Business Support center (SBSC).

I may update the post , but you are correct, it just doesn't look right..

But these switches have a fantastic Warranty, you have the ability to call the good folk at SBSC for support to resolve issues or questions you come across. Thank you for your business.

regards Dave.

login as: test2

User Name:dave

Password:******

SG300-10P#sh ip ssh

SSH Server enabled. Port: 22

RSA key was generated.

DSA(DSS) key was not generated.

SSH Public Key Authentication is disabled.

Active incoming sessions:

IP address SSH username Version Cipher Auth Code

----------------- -------------- ----------- ----------- --------------

192.168.20.100 test1 SSH-2.0-PuT aes256-cbc hmac-sha1

TY_Release_

0.61

192.168.20.100 test2 SSH-2.0-PuT aes256-cbc hmac-sha1

TY_Release_

0.61

David Hornstein · ‎01-28-2012

Hi John,

An answer I got almost 2 weeks ago by opening up a case with the great folks at the Small Business Support Center ..."That is the way it works for our SSH (SSH authentication first then AAA authentication) Though, there is already plan to eliminate this double log in in 1.2.5 "

I wasn't happy with the response, if there is some RSA key echange at the first login , then I didn't want to see it as a login.

OK.. but it will be tidied up, so i was told in the next release for firmware.

regards Dave

Robert Connelly · ‎07-12-2018

I added

aaa authentication login SSH local
aaa authentication enable SSH enable
aaa authentication login Telnet local
aaa authentication enable Telnet enable

and it got rid of the double logon issue

Robert Connelly · ‎07-12-2018

OK my update missing some info

Added that above as well as

ip ssh server
ip ssh password-auth
encrypted ip ssh-client password *******************************************
ip ssh-client server authentication

jlma81 · ‎11-08-2018

Thanks Robert Connelly, by adding just the command "ip ssh password-auth" was enough, still I am sharing my aaa config here in case someone has a similar config.

aaa authentication login authorization ssh tacacs local
aaa authentication enable authorization ssh tacacs enable
aaa authentication login Console tacacs local
aaa authentication enable Console tacacs enable
aaa accounting login start-stop group tacacs+

Regards.

PremNaresh2556 · ‎03-19-2020

Please let us know how to resolve the same issue for sf220.