- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 11:13 AM - edited 03-06-2019 06:24 AM
Hi every body!
My book shows the following configuration:
line vty 0 15
login
password cisco
=================
Book says " The 'line vty 0 15' configuration command tells the switch
that commands that follows apply to to all 16 possible concurrent virtual terminal connections to the switch,which includes telnet as well as SSH access"
My understanding is , given the above config, ssh access is not possible as ssh access requires atleast username and password be confgured . So basically the above config is only valid for telnet. But the excerpt from the book, quoted above,says ( the last line) the above config apply to both telnet and ssh.
========================================
Please consider the following config:
2) line vty 0 15
login local
transport input telnet ssh
username sarah password cisco
crypto key generate rsa
my question is if i have to telnet to this switch, will i be prompted for username and password? or i will be prompted for username and password only if i connect via ssh?
thanks a lot!
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 11:23 AM
for the first question:
Authentication through the line password is not possible with SSH.
It will work for sure when the login/password is overriden by AAA :
aaa new-model
aaa authentication login default local xxx
instead of local could also be group radius/tacacs used.
for the second question:
yes you'll be prompted for a username and password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 12:24 PM
While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.
HTH,
Edit:
Current configuration : 1268 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CE2
!
boot-start-marker
boot-end-marker
!
aaa new-model
aaa authentication login default line enable
enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0
!
ip subnet-zero
ip cef
!
!
ip domain-name CISCO.COM
!
!
!
interface Loopback0
ip address 10.1.2.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 192.168.2.1 255.255.255.0
duplex full
speed auto
no clns route-cache
!
interface FastEthernet1/1
ip address 172.16.32.2 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
router eigrp 10
passive-interface FastEthernet1/1
network 0.0.0.0
no auto-summary
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
transport input ssh
!
!
end
__________________
connecting from remote router:
CE1#ssh -l sara 172.16.32.2
Password:
CE2>en
Password:
CE2#
__
Edison.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 09:04 AM
Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.
HTH,
__
Edison.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 09:15 AM
Zeeshan,
In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.
HTH,
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 10:47 AM
Your books seems outdated, the default used to be 'all', now it's none.
http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885
HTH,
__
Edison.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 11:23 AM
for the first question:
Authentication through the line password is not possible with SSH.
It will work for sure when the login/password is overriden by AAA :
aaa new-model
aaa authentication login default local xxx
instead of local could also be group radius/tacacs used.
for the second question:
yes you'll be prompted for a username and password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 02:54 PM
for the second question:
yes you'll be prompted for a username and password
Do you mean , even i when telnet, i will be prompted for user name and password ?
thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 12:24 PM
While the SSH Client prompts for an username and password for authentication, on Cisco IOS SSH server when using line password, it will accept any username (it doesn't have to be configured in the box) and the password must be the line password.
HTH,
Edit:
Current configuration : 1268 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CE2
!
boot-start-marker
boot-end-marker
!
aaa new-model
aaa authentication login default line enable
enable secret 5 $1$9.3m$khtj/6egNw9qoOksHisHU0
!
ip subnet-zero
ip cef
!
!
ip domain-name CISCO.COM
!
!
!
interface Loopback0
ip address 10.1.2.1 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
no ip address
duplex half
no clns route-cache
!
interface FastEthernet1/0
ip address 192.168.2.1 255.255.255.0
duplex full
speed auto
no clns route-cache
!
interface FastEthernet1/1
ip address 172.16.32.2 255.255.255.0
duplex auto
speed auto
no clns route-cache
!
router eigrp 10
passive-interface FastEthernet1/1
network 0.0.0.0
no auto-summary
!
ip classless
!
no ip http server
!
!
!
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
transport input ssh
!
!
end
__________________
connecting from remote router:
CE1#ssh -l sara 172.16.32.2
Password:
CE2>en
Password:
CE2#
__
Edison.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 02:06 PM
Edison is correct it will use a normal line password if say a tacacs or radius server is unavailable , we have this all over our enterprise .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2009 03:06 PM
thanks Edison!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 09:01 AM
Hi Edison!
Just got one more question if you don't mind.
line vty 0 15
login local
username sarah password cisco
Will the above config require username sarah and password cisco from telnet user ?
Thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 09:04 AM
Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh.
HTH,
__
Edison.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 09:15 AM
Zeeshan,
In case of your configuration above. Yes you need to define a user for login local. However,"username sarah password cisco" will be used as privilege level 1.
HTH,
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 10:22 AM
thanks Edison.
"Yes, you've changed the login protocol from line password to login local authentication so all input connections to the vty will use the local username|password combination, not just telnet but also ssh."
According to my book, transport input telnet is on by default. That also means only telnet connection will be allowed and telnet users will be prompted for username and passwords. To allow ssh connection, we must configure " transport input telnet ssh".
Am i correct?
thanks a lot and have a nice day!
HTH,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2009 10:47 AM
Your books seems outdated, the default used to be 'all', now it's none.
http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1022885
HTH,
__
Edison.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2009 07:51 AM
Sarah,
I want to correct my previous statement.
That section of the documentation needs to be updated. It does mention in the 'Usage Guidelines' that the default 'none' applies to TTY connections but there is no mention of VTY connections.
I did a little digging and it seems the VTY connections default is set to 'all' but the documentation makes no mention of it.
