cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5298
Views
10
Helpful
16
Replies

Enabling SSH on a C8300 Router

John N
Level 1
Level 1

I am trying to enable SSH on a C3800 router.  I did the following:

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide - Using Cisco IOS XE Software [Cisco Catalyst 8300 Series Edge Platforms] - Cisco

Please see the output below... So when I SSH i am able to put in the username-when I enter the password I get the timeout error message and the session closes.  I configured on line vty 0 1.  Any ideas or assitance would be greatly appreciated. 

 

Cisco_C
Nov 15 16:04:31.819: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by ******* on console
Cisco_C#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,x509v3-rsa2048-sha256
Hostkey Algorithms:rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes256-ctr,aes192-ctr,aes128-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512
KEX Algorithms:diffie-hellman-group14-sha1
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1010930280
Modulus Size : 2048 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFqoYY8tUZtp4AiV1AEJDzel5BRa0qZ+X7PXI9RALn
zUKZGT2iuKtV56lugJRzAFXkHzYmZwHxEfLp26c2kVVZL61XMOn1YbK6KI8zBdICn0twTFXzW3emhLRF
3mLND2yaFpfEZX+5vuXlyU51XCP/JV3Cp7NaXJ6DIo0YfOc9v3e6aMEG/1gtEvmWnxVwVDCosh1LGp07
A7kOwAKDQJsSd/ba5MRWD6/BERvdM8sdmnsqugtVQD4hZxHO3dUQyvHUx+APR2JGIm42WIqSDNPKgV0x
I3RasMuVvqLQQFnIoFXzFLb4iGEuiuDwTpCdfZGe8SaSq0AFgvhwZ0gwJ0k9
Cisco_C#show run | section line
line con 0
logging synchronous
transport preferred none
stopbits 1
line aux 0
no exec
transport output none
line vty 0 1
logging synchronous
transport input ssh
transport output none
line vty 2 4
no exec
transport input ssh
transport output none
line vty 5 15
no exec
transport input none
transport output none

 

Here is the log of me logging in via SSH and the subsequent errors....

 

Nov 15 15:28:47.231: %SYS-5-CONFIG_I: Configured from console by ****** on console
Cisco_C#
Nov 15 15:29:02.288: %SSH-5-SSH_COMPLIANCE_VIOLATION_HOSTK_ALGO: SSH Host-key Algorithm compliance violation detected.Kindly note that weaker Host-key Algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.Please configure more stronger Host-Key algorithms to avoid service impact.
Nov 15 15:29:02.386: %SSH-5-SSH2_SESSION: SSH2 Session request from xx.xx.x.x (tty = 1) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded
Cisco_C#
Nov 15 15:29:18.163: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: xxxxxx] [Source: xx.xx.x.x] [localport: 22] at 15:29:18 UTC Wed Nov 15 2023
Nov 15 15:29:18.163: %SSH-5-SSH2_USERAUTH: User 'xxxxxx' authentication for SSH2 Session from xx.xx.x.x (tty = 1) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded
Nov 15 15:29:18.163: %SSH-3-BAD_PACK_LEN: Bad packet length -554831608
Cisco_C#
Nov 15 15:29:18.163: %SSH-5-SSH2_CLOSE: SSH2 Session from xx.xx.x.x (tty = 1) for user '' using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' closed

 

Regards, 

J

 

 

 

16 Replies 16

M02@rt37
VIP
VIP

Hello @John N  

You configure AAA or a login local username ?

If you have configured login local username, please add login local command under line vty 0 1.

Also, do you test ssh connection from another ssh client ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hello and thank you for your response and help.  I do have AAA and username configured.  When I try to add login local to vty 0 1 it's a command that is not recognized.  I then enter login question mark i get authentication - i put in a question mark after authentication and I get WORD or default option... Which one should I choose? I have not try to SSH but I will do that next....

can you post show run complete (remove confidential information)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@John N  

When you have AAA configured, login local command is no more available.

Put login authentication default instead.

Follow @MHM Cisco World recommendation about cipher type.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi
Hall of Fame
Hall of Fame

2 suggestion here, check the Clinet you using - putty make sure you have new ciphers and latest version of putty installed. (this is not an issue but good to use latest ciphers)

try below steps :

https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/isr9000swcfg-xe-16-12-book_chapter_011.html

 

Step 5

Create a username for SSH authentication and enable login authentication:

Router(config)# username jsmith privilege 15 secret 0 p@ss3456 
Router(config)#line vty 0 4
Router(config-line)# login local 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Just to show what happens when I try to add local login this is what i get....

Cisco_C#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco_C(config)#line vty 0 1
Cisco_C(config-line)#login local
^
% Invalid input detected at '^' marker.

Cisco_C(config-line)#login ?
authentication Authentication parameters.

Cisco_C(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

Cisco_C(config-line)#login authentication

I think if you allow all cipher/key that your device can run this make ssh success.

Sorry so where would I choose that- from word? 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html

Check this use 

Ip ssh command and make device allow all cipher/key type

karenr022
Level 1
Level 1

You should configure stronger Host-Key Algorithms. For example, you can configure 'rsa-sha2-512' or 'rsa-sha2-256' instead of 'ssh-rsa' to comply with the security standards.

crypto key generate rsa general-keys modulus 2048 label SSH-KEYS
ip ssh rsa keypair-name SSH-KEYS

Try adjusting the MTU (Maximum Transmission Unit) settings on the router's interfaces that handle the SSH traffic. You can try setting the MTU to a lower value (e.g., 1400) on the interface connected to the SSH client:

interface <interface_name>
   ip mtu 1400

 

John N
Level 1
Level 1

Thanks to everyone for their response.  I am stil having issues with trying to SSH in... Two things one is I noticed on my vty 0 1 I have access-class 1 in and access-class 2 out can this make a difference. 

 

Also as I previously mentioned I am unable to add local user to the config file... I get the following...

Cisco_C#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cisco_C(config)#line vty 0 1
Cisco_C(config-line)#login local
^
% Invalid input detected at '^' marker.

Cisco_C(config-line)#login ?
authentication Authentication parameters.

Cisco_C(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

Cisco_C(config-line)#login authentication

 

@John N  

When you have AAA configured, login local command is no more available.

Put login authentication default instead.

Delete access-group command and test ssh connection.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Ok I did that and it looked like it was going to let me enter my credentials and when I put in the password the connection dropped... Here is the output of that session below:

 


Nov 16 20:22:41.900: %SSH-5-SSH_COMPLIANCE_VIOLATION_HOSTK_ALGO: SSH Host-key Algorithm compliance violation detected.Kindly note that weaker Host-key Algorithm 'ssh-rsa' will be disabled by-default in the upcoming releases.Please configure more stronger Host-Key algorithms to avoid service impact.
Nov 16 20:22:41.970: %SSH-5-SSH2_SESSION: SSH2 Session request from 56.xxx.x.x(tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded
Nov 16 20:23:02.349: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: s] [Source: 56.xxx.x.x] [localport: 22] at 20:23:02 UTC Thu Nov 16 2023
Nov 16 20:23:02.349: %SSH-5-SSH2_USERAUTH: User 's' authentication for SSH2 Session from 56.xxx.x.x (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded
Nov 16 20:23:02.349: %SSH-3-BAD_PACK_LEN: Bad packet length -554423080
Nov 16 20:23:02.349: %SSH-5-SSH2_CLOSE: SSH2 Session from 56.xxx.x.x (tty = 0) for user '' using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' closed

Nov 16 20:23:02.349: %SSH-3-BAD_PACK_LEN: Bad packet length -554423080 <<- this can cause by mismatch between server and client 

Review Cisco Networking for a $25 gift card