Solved: SSH/Telnet

Senbonzakura · ‎01-21-2020

Greetings everyone, I have a quick question for all of you and I'm hoping for someone to clear everything up.

So from I understand, you can configure two different vty lines 0 - 4 for junior staff with a set password and then 5 - 15 for senior staff with a different password but this is if you're using telnet then those passwords would only matter if you're not using SSH correct?

If you're using SSH then you can just configure 0-15 with a login local configuration and setup privilege levels based on who you want to have access to to certain commands/abilities instead of doing what I mentioned above, correct?

Also, why is it when you try to enter privilege mode after successfully connecting through SSH it doesn't ask for a password even though I have one configured but when I console in it will then ask for the password I have set for entering privilege mode? On my console port, instead of disabling it I just added a password on the console port itself then afterwards you have another password you have to enter in order to access privilege mode and based on that password will determine what permissions you have hence the privilege level.

Any help would be appreciated in understanding these things, I've used them before and of course I'd choose SSH over Telnet but sometimes your switch may not support SSH.

Thank you again.

Muhammad Awais Khan · ‎01-21-2020

Hi,

So from I understand, you can configure two different vty lines 0 - 4 for junior staff with a set password and then 5 - 15 for senior staff with a different password but this is if you're using telnet then those passwords would only matter if you're not using SSH correct?

Yes your above understanding is correct. SSH needs username and password both. Further, if you define username with privilege level 15 when defining username in database then SSH remote user will not be prompted for enable password. For telnet user in your example, it will still require to enter enable password after the telnet

If you're using SSH then you can just configure 0-15 with a login local configuration and setup privilege levels based on who you want to have access to to certain commands/abilities instead of doing what I mentioned above, correct?

Yes and it is the recommended and secure way to access the Router. Telnet sessions are un-encrypted while SSH sessions are encrypted.

Also, why is it when you try to enter privilege mode after successfully connecting through SSH it doesn't ask for a password even though I have one configured but when I console in it will then ask for the password I have set for entering privilege mode? On my console port, instead of disabling it I just added a password on the console port itself then afterwards you have another password you have to enter in order to access privilege mode and based on that password will determine what permissions you have hence the privilege level.

On your console, since you are using line password only so a user logged in to console have to enter the console password, further remote user have to enter enable password also. But if you make login local and local username has priv 15 then enable password will be bypassed.

I hope above make sense

View solution in original post

Muhammad Awais Khan · ‎01-21-2020

Hi,

So from I understand, you can configure two different vty lines 0 - 4 for junior staff with a set password and then 5 - 15 for senior staff with a different password but this is if you're using telnet then those passwords would only matter if you're not using SSH correct?

Yes your above understanding is correct. SSH needs username and password both. Further, if you define username with privilege level 15 when defining username in database then SSH remote user will not be prompted for enable password. For telnet user in your example, it will still require to enter enable password after the telnet

If you're using SSH then you can just configure 0-15 with a login local configuration and setup privilege levels based on who you want to have access to to certain commands/abilities instead of doing what I mentioned above, correct?

Yes and it is the recommended and secure way to access the Router. Telnet sessions are un-encrypted while SSH sessions are encrypted.

Also, why is it when you try to enter privilege mode after successfully connecting through SSH it doesn't ask for a password even though I have one configured but when I console in it will then ask for the password I have set for entering privilege mode? On my console port, instead of disabling it I just added a password on the console port itself then afterwards you have another password you have to enter in order to access privilege mode and based on that password will determine what permissions you have hence the privilege level.

On your console, since you are using line password only so a user logged in to console have to enter the console password, further remote user have to enter enable password also. But if you make login local and local username has priv 15 then enable password will be bypassed.

I hope above make sense

Senbonzakura · ‎01-22-2020

Thank you for clearing that up for me, I just wanted to make sure I had the correct understanding on everything. I find little bits and pieces of information then I go and test things for myself.

It's greatly appreciated.

Muhammad Awais Khan · ‎01-22-2020

I am glad.to hear that my response helped out to clear your doubts :)

Happy networking and keep posting in this community :)