Help understanding VTY config with SSH

OllerTech · ‎12-13-2017

Hi,

To get a functional SSH in a packet tracer lab, I've done the following:

ip domain-name [name]
username Admin priv 15 secret [password]
aaa new-model
crypto key generate RSA
1024

At this point, I'm able to access the router from one of the PCs in packet tracer over SSH without issues. But some guides suggest that I also need to config VTY lines for SSH to work:

line vty 0 15
transport input SSH

This makes me confused... isn't VTY config required when using the "aaa new-model" function? Does this only apply to some other type of SSH setup? Because everything seems to be working without messing with VTY.

Thanks,

Mark Malone · ‎12-13-2017

Hi
Its advised to use that transport input ssh , the reason being is it turns off telnet for the vty lines which is good as its insecure , you should also always have a vty access-list in place too access-class x in

with the config you have in place there you shouldnt even need the aaa new-model command as thats activating aaa which you dont have configured unless you have omitted some of the config from your post

This is all thats required to get ssh working

Set Up an IOS Router or Switch as SSH Client

There are four steps required to enable SSH support on a Cisco IOS router:

Configure the hostname command.
Configure the DNS domain.
Generate the SSH key to be used.
Enable SSH transport support for the virtual type terminal (vtys

Julio E. Moisa · ‎12-13-2017

Hi

SSH is used to protect the information passing through the VTY, now AAA help to verify the identity of the users, reporting, etc You can use Radius, ACS, TACACS+ or local credentials to manage the devices. More information: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.html

Now the configuration you showed is pointing to local credentials:

username Admin priv 15 secret [password]

So you need to disable aaa new-model and add the following command under the line VTY:

line vty 0 15

transport input SSH <-- enable secure for remote access, also this config is disabling telnet which is good

login local

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Richard Burts · ‎12-13-2017

I do not agree with Julio about his suggestion that you should not enable aaa new-model. Using that command has exactly the same effect as his suggestion of using login local on the vty. And frankly using aaa new-model is more of a best practice than is login local.

As Julio and Mark have pointed out the configuration of SSH transport on the vty is not required, but is probably a best practice. It limits the transport protocol to SSH (eliminating tetlnet and some other transport protocols that are enabled by default). So it makes your config more secure for the router.

HTH

Rick

HTH

Rick

paul driver · ‎12-13-2017

Hello

line vty x x

transport input/output all = means it allows all protocols (inc telnet, ssh) which is the default setting on vty lines, as such if you apply this command you wont see it in the configuration, hence as the others have stated specifying transport input/output telnet/ssh then allows only that protocol and negates the others.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul