12-02-2004 12:05 PM
What is the easiest way to disable telnet on the public (T1) interfaces of my routers and enable SSH? Can I do this without setting up access lists?
Thanks,
Diego
Solved! Go to Solution.
12-02-2004 12:24 PM
You can. Type
"transport input ssh"
on line vty 0 4 and it will only accept ssh connections.
If you add access-lists using access-class, it will add another level of security.
You would also need to generate an RSA key for the router from the global config mode using command,
crypto key generate rsa
Before typing this command, make sure the domain name is configured on the router.
ip domanin-name
sh crypto key mypubkey rsa will show you the RSA key that is generated.
HTH
12-04-2004 04:04 PM
no generic one that i can think of, but you can go ahead and define a username for yourself
(config)#username johndoe password password_u_choose
(config)#line vty 0 4
(config-line)#login local
if you are the only administrator....
(config)#username johndoe privilege 15 password password_u_choose
(config)#line vty 0 4
(config-line)#login local
....privilege level 15 will put you into priv exec mode (you will not have to type 'enable')
if you want to use both telnet and ssh.....
(config)#line vty 0 4
(config-line)#transport input telnet ssh
you can always take one off.
12-02-2004 12:24 PM
You can. Type
"transport input ssh"
on line vty 0 4 and it will only accept ssh connections.
If you add access-lists using access-class, it will add another level of security.
You would also need to generate an RSA key for the router from the global config mode using command,
crypto key generate rsa
Before typing this command, make sure the domain name is configured on the router.
ip domanin-name
sh crypto key mypubkey rsa will show you the RSA key that is generated.
HTH
12-02-2004 03:09 PM
also make sure that you are using NTP for a time source or that your network device has an accurate internal clock. this is needed so that you RSA credential will be valid and not expired (or not valid yet)
12-04-2004 02:27 PM
Huh? I use SSH on my PIXes and I never had problems with time. Do the routers behave differently?
02-26-2016 12:55 AM
I typed transport input ssh using putty but now i cant even log into the router with both TELNET or SSH. Kindly help.
12-04-2004 02:25 PM
I was hoping that I could still use regular ol' telnet from the inside (ethernet) side. But I guess that I will have to live with it since I am to lazy to do the ACL stuff.
Thanks!
12-04-2004 03:05 PM
Oops! Router now is asking for a login name. Is there a generic one that I can use? I know the PIXes use "pix" but I coudn't guess the correct one for the router.
Thanks,
Diego
12-04-2004 04:04 PM
no generic one that i can think of, but you can go ahead and define a username for yourself
(config)#username johndoe password password_u_choose
(config)#line vty 0 4
(config-line)#login local
if you are the only administrator....
(config)#username johndoe privilege 15 password password_u_choose
(config)#line vty 0 4
(config-line)#login local
....privilege level 15 will put you into priv exec mode (you will not have to type 'enable')
if you want to use both telnet and ssh.....
(config)#line vty 0 4
(config-line)#transport input telnet ssh
you can always take one off.
12-05-2004 09:14 AM
Thanks,
Diego
12-05-2004 09:47 AM
Using "transport input ssh" caused telnet connections to go write to the prompt without asking for password? I had to use "transport input telnet ssh" to prevent this but now the router access regular telnet and SSH. Still need to find out how to kill telnet.
Diego
12-05-2004 01:15 PM
the original responce that you recieved was correct in how to allow ssh only.
transport input ssh
since you said you lost connectivity, using telnet and ssh (transport input ssh telnet) provided you with an interim solution until you got your config straighten out. Afterwhich you could disable telnet .
your config should look like one of these depending on your desired objectives:
_______________________________________
to type in a username/pass combo and go straight to privilege exec
username YOUR_NAME privilege 15 password PASSWORD
enable secret WHATEVER_PRIV_EXEC_PASS
line vty 0 4
transport input ssh
login local
___________________________
*or*
to type in a username/pass combo and come in at user exec level
username YOUR_NAME password PASSWORD
enable secret WHATEVER_PRIV_EXEC_PASS
line vty 0 4
transport input ssh
login local
___________________________
*or*
terminal in and type in a "virtual terminal" access password defined for that vty line
enable secret WHATEVER_PRIV_EXEC_PASS
line vty 0 4
transport input ssh
login
password VTY_PASSWORD
____________________________
here is a very good link that should further assist you
(note: line parameters for ssh are the same as telnet (except for using the phrase 'ssh' of course))
also
http://www.netcraftsmen.net/welcher/papers/securemgmt.html
http://www.quepublishing.com/articles/article.asp?p=102180&seqNum=4
12-05-2004 06:34 PM
I am sorry that you misunderstood my post. I have never lost connectivity. I am using the following commands:
username YOUR_NAME password PASSWORD
enable secret WHATEVER_PRIV_EXEC_PASS
line vty 0 4
transport input ssh
login local
When using the above commands I observe the following behavior:
1) Telneting to the router takes me DIRECTLY to the user exec prompt. No username prompt, no password prompt. Note this is telnet which shouldn't even be accepted at this point!!
2) SSH connections work as expected with username and password prompt to get to user exec prompt.
I have found that by modifying the transport command to look like this:
transport input telnet ssh
I am prompted for username with both telnet and ssh connections which is a little better but telnet still works which is not part of the desired effect.
Diego
12-13-2004 01:22 PM
Dear
I think you need to issue no transport input telnet after Transport input ssh
I'm not sure , but you can try
12-13-2004 01:45 PM
Actually, the fix was to also add the "transport input ssh" line to the other vty lines, 5-15. Doing this to vty 0 4 is not enough. Seems like telnet was coming in thru the 5-15 when 0-4 rejected it.
Thanks to all who contributed.
Diego
02-08-2024 12:31 AM
Unfortunately, that is not true. When you execute "show control-plane host open-ports" on the router.
You can see active telnet daemon and the router is accessible at higher telnet ports.
For example: "Telnet <int IP> 2001" will connect you.
Actually, you need a port scanner to find the opened ports but they exist!
Usually they are between 2000-11000
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide