Solved: SSH Login not working.... HELP! (I'm probably being dumb)

CPynch · ‎08-01-2022

Hey all, I seem to be having a 'dumb' moment. A colleague configured a 2960X and didn't setup SSH on it.

I thought I did all the necessary steps, but I seem to be getting a login prompt I can't get past.

Building configuration...

Current configuration : 2722 bytes
!
! Last configuration change at 14:23:37 UTC Mon Aug 1 2022
! NVRAM config last updated at 14:13:36 UTC Mon Aug 1 2022
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REDACTED
!
boot-start-marker
boot-end-marker
!
!
username cisco password 0 cisco
no aaa new-model
switch 1 provision ws-c2960x-24ts-l
!
!
no ip domain-lookup
ip domain-name REDACTED.com
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.0.19 255.255.255.0
!
ip default-gateway 192.168.0.1
ip http server
ip http secure-server
!
ip ssh version 2
!
!
!
!
line con 0
line vty 0 4
privilege level 15
password XXXXXX
login local
transport input ssh
line vty 5 15
privilege level 15
password XXXXXX
login local
transport input ssh
!
end

Peter Paluch · ‎08-02-2022

Hello,

Alright, can you - for troubleshooting purposes - allow Telnet on this box? The commands to add (don't remove anything) would be:

line vty 0 15
transport input telnet ssh
end

Then try to Telnet into the switch instead of SSH, and use the same username/password combinations configured above. If this doesn't work then I am starting to suspect you're not really connecting to this switch.

Actually, let's check that too. Your switch has IP address 192.168.0.19 on VLAN 1. If you are directly connected to it, you must be on a switchport in VLAN 1 - which is one of the ports 13 - 22, 24, 26 - 28. Are you connected to one of those ports?

Best regards,
Peter

View solution in original post

W-ALI · ‎08-01-2022

try

(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024

Reza Sharifi · ‎08-01-2022

Hi,

Is SSH configured correctly? Console to the device or Telnet and provide the output of "sh ip ssh"?

Also, on your terminal emulator (Putty), make sure you use SSH and not Telnet as the protocol.

HTH

Peter Paluch · ‎08-01-2022

Hello everyone,

The suggestions to run "crypto key generate" or to verify whether SSH is running are legit but notice that PuTTY already connected to the switch with the initial SSH handshake - otherwise it wouldn't ask for the password. Based on this, SSH is most certainly running on the switch, and the keys were most likely generated as the part of generating the X.509 certificate for the HTTPS server (through "ip http secure-server").

The most likely issue here is that the login/password combination is invalid. From the shared configuration, it should be "cisco"/"cisco". However, is it possible that there is a whitespace in the password after the last character - in other words, is it possible that the password is in reality "cisco " - or "cisco<space>"?

You may want to add another username/password combination and log in using that combination to see if that makes any difference.

Best regards,
Peter

CPynch · ‎08-02-2022

Hello all, Thank you for the suggestions, I've been scratching my head on this one.

@Peter Paluch I have tried a few different combinations of usernames and passwords, but deleted them before I copied the startup config file. I will definitely try again. I'll clear all the usernames and redo using cisco / cisco again just to make it simple.

@Reza Sharifi I will get the output of the SSH configuration and paste it here and I'm definitely using SSH not Telnet.

@W-ALI I set it to 2048 bit

CPynch · ‎08-02-2022

Ok, so I removed the line password and deleted the local username completely. Still prompts for a password!

Current configuration : 2646 bytes
!
! Last configuration change at 09:19:20 UTC Tue Aug 2 2022
! NVRAM config last updated at 09:22:34 UTC Tue Aug 2 2022
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WATPLNCFSW01
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c2960x-24ts-l
!
!
no ip domain-lookup
ip domain-name REDACTED
!
!
!
!
!
cluster enable BoilerHouse 0
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 150
switchport mode access
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
switchport trunk allowed vlan 150,250
switchport mode trunk
keepalive 5
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 192.168.0.19 255.255.255.0
!
ip default-gateway 192.168.0.1
ip http server
ip http secure-server
!
ip ssh version 2
!
!
!
!
line con 0
line vty 0 4
privilege level 15
no login
transport input ssh
line vty 5 15
privilege level 15
no login
transport input ssh
!
end

Here is the SSH config

WATPLNCFSW01(config-line)#do sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCxDjvdF1nho6f4LvJTzsyVoHz9BddGYcuzINjTYQWo
TqGRoOnlLt7NuzU3MTbl4XRicrmA1ti7uaYCC7nDifVRH+YeE1lWx7XpccQFewscXvJqAOYmkELRxJiA
MqtPxuv/wyrXzHp5UW30ziqVKQFZcfxAfiSJSV2EZUhRH7H9/w==
WATPLNCFSW01(config-line)#

I need to ask, but Im pretty sure I know the answer. The domain-name doesn't need to match the PC I'm using to connect with, it's just a requirement of the RSA token, right?

MHM Cisco World · ‎08-02-2022

You ssh to name and use dns for resolve,

The dns domain is different than domain in your router which you config ssh key.

Try use ip stead of name and override dns resolve.

CPynch · ‎08-02-2022

@MHM Cisco World I've only been using IP, not DNS to connect to the device.

Peter Paluch · ‎08-02-2022

Hello,

Well, SSH will always ask for username and password, unlike Telnet. Don't try to combine it with "no login" on the VTYs.

Shall we try to configure it once again - like this?

username admin privilege 15 secret admin
username cisco secret cisco
line vty 0 15
 no privilege level
 login local

When entering the "username" lines, make sure that you do not hit the Space key after the last character in the password; instead, make sure that you hit Enter right after the password.

Then try to access the switch through PuTTY again.

As for the domain name - that one is entirely irrelevant to the SSH protocol itself. The switch just like to use the domain name when creating an RSA keypair to give the keypair a name that can be referenced later, but since your keypair was generated as a part of creating the X.509 certificate, the switch already gave it another name. Don't worry about that one.

Best regards,
Peter

CPynch · ‎08-02-2022

Ok, I removed the usernames and redid them making sure there are no spaces. Also redid the vty lines.

line con 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
end

username admin privilege 15 secret 5 $1$AAyv$HwMoyXtcg8nlH44DDdnGB/
username cisco secret 5 $1$g5yn$jB/0IOL5XLlwlGf5fuxIm1
no aaa new-model
switch 1 provision ws-c2960x-24ts-l

Still not working with either UN\PW combo, or blank/blank

Peter Paluch · ‎08-02-2022

Hello,

Alright, can you - for troubleshooting purposes - allow Telnet on this box? The commands to add (don't remove anything) would be:

line vty 0 15
transport input telnet ssh
end

Then try to Telnet into the switch instead of SSH, and use the same username/password combinations configured above. If this doesn't work then I am starting to suspect you're not really connecting to this switch.

Actually, let's check that too. Your switch has IP address 192.168.0.19 on VLAN 1. If you are directly connected to it, you must be on a switchport in VLAN 1 - which is one of the ports 13 - 22, 24, 26 - 28. Are you connected to one of those ports?

Best regards,
Peter

CPynch · ‎08-02-2022

@Peter Paluch @MHM Cisco World @Reza Sharifi @W-ALI

Ok, I figured it out!

Peter, you were right I wasn't hitting that device. It's IP had been duplicated and another device on the CCTV network had that IP address. It was the Far side of a B2B bridge, and in Uniquiti console only displays the near side IP.

I found out by checking the ARP table on my PC and doing a MAC lookup, and sure enough it was a Ubiquiti MAC.

The other issue was my colleague had one side of the network using a VLAN that doesn't exist elsewhere on the network instead of leaving it as VLAN1 like the rest of the CCTV network. We need to segment off traffic, but really only VLAN 150 needed to be created. The management interface on the switch I couldn't hit was setup for VLAN1, and all traffic entering the switch was tagged as VLAN 250 because he set it up as an access port not a trunk.

The Ubiquiti stack handled the tagged traffic ok, because if the VLAN doesn't exist on one side, it just untags the traffic.

That had me scratching my head. Thank you so much for all the help everyone!

MHM Cisco World · ‎08-02-2022

Thanks a lot for sharing the solution.
I appreciate that.
thanks

MHM Cisco World · ‎08-02-2022

ONE ONLY POINT FREIND, YOU share the Config many times and each time you change one of
either the hostname
or
domain name
please notice that the change of these need to generate new Public KEY, otherwise the SSH not work.
so
crypto key zeroize rsa <<- this will delete all old key

then generate new key.
please you must sure that you have local access to SW/R.

CPynch · ‎08-02-2022

I'm starting to think I should wait for a maintenance window and wipe it and start fresh.