Solved: SSH login creds vs local usernames

wwwlstr0707 · ‎12-10-2024

I have an odd request. And I’m beating myself up trying to figure out if it’s even possible. 8200 series router.

no aaa new model is set currently.

there are 3 local user accounts:

username user-admin priv 15 password 7 xxxxx

username user2 priv 15 password 7 xxxxx

username user3 priv 15 password 7 xxxxx

currently the line console 0 connection works for all three:

login local

line vty 0 4 works for all three:

login local

transport input ssh

We use user-admin mostly. And the login local command means it’s going to look for those three defined usernames. Here’s what’s been requested. Leave the usernames as is and don’t change passwords. We want to ensure that people who have the user-admin cred are prompted for a “separate” ssh password.

As im typing this is sounds even more crazy.
I’ve tested a few things with aaa and got the result for ssh. But that broke console logins…meaning the banner loaded but no user/pass prompt and it times out.

Any thoughts or is that too vague?

Richard Burts · ‎12-10-2024

Thank you for the clarification. It sounds to me like my first suggestion is what you are looking for. Note that this does require that all the devices configure aaa new-model. And it does require that you have an authentication server (tacacs/Radius). If your organization is not willing to spend the time/resources to implement an authentication server then you are correct in saying that they can not achieve what they want with different passwords for console and for SSH. But if they are willing to spend the time/resources then it is reasonably straightforward.

You would implement an authentication server and on that authentication server you would configure the users who will use SSH, and would configure a unique password for each user. Note that this approach eliminates the shared password for SSH and results in better security for the network. Then on each device in the network you would enable aaa new-model. You would then configure one authentication method for the console which uses the locally configured ID and password, and configure another authentication method to be used for vty/SSH which uses the authentication server.

HTH

Rick

View solution in original post

balaji.bandi · ‎12-10-2024

First of what is the goal here ?

 Leave the usernames as is and don’t change passwords. We want to ensure that people who have the user-admin cred are prompted for a “separate” ssh password

So you have password already and you want to have another password to login or you need enable to have password this was not clear, not sure you trying to invent on the kit which is well defined or predefined options.

You can enable 2 facto, but most cases that is external authentication.

I’ve tested a few things with aaa and got the result for ssh. But that broke console logins…meaning the banner loaded but no user/pass prompt and it times out.

what have you tested, with out changing the password.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎12-10-2024

I am puzzled about what the OP is asking for. It seems to say that they want to keep the same user id and password but require a different password. How can the login use both the same and a new/different password? Please provide clarification.

Depending on what they want a couple of possibilities come to mind:

- perhaps people logging in on the console use the existing ID and password while people logging in using telnet/SSH use a different authentication method with aaa new-model.

- or perhaps people accessing telnet/SSH use existing ID and password while people accessing using HTTP/HTTPS use aaa new-model to require different password.

Actually in both suggestions every one is using aaa new-model (either it is on for everyone or it is off for everyone), and for one group you specify an authentication method of local and the other group uses authentication on the server.

HTH

Rick

wwwlstr0707 · ‎12-10-2024

Yeah I knew it wasn't clear. It's an odd request. Let me try another way. AAA new model is not on.

We have local user accounts. Someone at routerA sits down at the console and connects with user-admin. Currently they can ssh to routerB and are prompted for the password which they know, and log in.

The request is to not change user-admin's password so that person can still console in with a known password to RouterA.

But if they try to ssh to RouterB that same password should not work. An alternative "ssh" password that only a few people know is what should work.

I mean from a non-technical perspective it seems kinda basic, just make this one password not work for ssh...providing them a valid resolution is not so easy. I'm just making sure i covered all the bases before i say can't be done, and then someone else says oh that's easy, do this...LOL

Richard Burts · ‎12-10-2024

Thank you for the clarification. It sounds to me like my first suggestion is what you are looking for. Note that this does require that all the devices configure aaa new-model. And it does require that you have an authentication server (tacacs/Radius). If your organization is not willing to spend the time/resources to implement an authentication server then you are correct in saying that they can not achieve what they want with different passwords for console and for SSH. But if they are willing to spend the time/resources then it is reasonably straightforward.

You would implement an authentication server and on that authentication server you would configure the users who will use SSH, and would configure a unique password for each user. Note that this approach eliminates the shared password for SSH and results in better security for the network. Then on each device in the network you would enable aaa new-model. You would then configure one authentication method for the console which uses the locally configured ID and password, and configure another authentication method to be used for vty/SSH which uses the authentication server.

HTH

Rick

wwwlstr0707 · ‎12-10-2024

Thanks! Guess that’s what’s needed, one login for console and one login for ssh. Appreciate the insight.

Richard Burts · ‎12-10-2024

You are welcome. Glad my suggestion seems to be what you are looking for. As I said, it depends on how much management wants better security. If they are willing to spend time and money to implement an authentication server, then it is relatively straightforward to implement.

Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

paul driver · ‎12-10-2024

Hello
TBH makes no sense having 3 static user-names with the same privilege level without even any aaa accounting to track what the user is doing.
The 8ks do support predefined user groups so you can associate a specific user so that they will various levels of access, this means you can even activate aaa locally and obtain a more deterministic localised login parameters for each user

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

wwwlstr0707 · ‎12-10-2024

Agreed. 3usernames makes no sense. Not my config. This is a situation where it’s the way it’s always been so we’re not changing. Then the request came in to “block” ssh for a user, but not being allowed to remove the username which was my first answer. Just remove the username. The response was we want that user to have local console still. Then I thought access list either deny out from the source or deny in from the destination router. But that would block all. Then they came back and said we just want that user to have an alternate password for ssh. One password for console. One password for ssh. Seems simple. Simple ask. Not so simple in reality. lol.