cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
113077
Views
31
Helpful
14
Replies

disable telnet, enable SSH

tato386
Level 6
Level 6

What is the easiest way to disable telnet on the public (T1) interfaces of my routers and enable SSH? Can I do this without setting up access lists?

Thanks,

Diego

2 Accepted Solutions

Accepted Solutions

thisisshanky
Level 11
Level 11

You can. Type

"transport input ssh"

on line vty 0 4 and it will only accept ssh connections.

If you add access-lists using access-class, it will add another level of security.

You would also need to generate an RSA key for the router from the global config mode using command,

crypto key generate rsa

Before typing this command, make sure the domain name is configured on the router.

ip domanin-name

sh crypto key mypubkey rsa will show you the RSA key that is generated.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

no generic one that i can think of, but you can go ahead and define a username for yourself

(config)#username johndoe password password_u_choose

(config)#line vty 0 4

(config-line)#login local

if you are the only administrator....

(config)#username johndoe privilege 15 password password_u_choose

(config)#line vty 0 4

(config-line)#login local

....privilege level 15 will put you into priv exec mode (you will not have to type 'enable')

if you want to use both telnet and ssh.....

(config)#line vty 0 4

(config-line)#transport input telnet ssh

you can always take one off.

View solution in original post

14 Replies 14

thisisshanky
Level 11
Level 11

You can. Type

"transport input ssh"

on line vty 0 4 and it will only accept ssh connections.

If you add access-lists using access-class, it will add another level of security.

You would also need to generate an RSA key for the router from the global config mode using command,

crypto key generate rsa

Before typing this command, make sure the domain name is configured on the router.

ip domanin-name

sh crypto key mypubkey rsa will show you the RSA key that is generated.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

also make sure that you are using NTP for a time source or that your network device has an accurate internal clock. this is needed so that you RSA credential will be valid and not expired (or not valid yet)

Huh? I use SSH on my PIXes and I never had problems with time. Do the routers behave differently?

I typed transport input ssh using putty but now i cant even log into the router with both TELNET or SSH. Kindly help.

I was hoping that I could still use regular ol' telnet from the inside (ethernet) side. But I guess that I will have to live with it since I am to lazy to do the ACL stuff.

Thanks!

Oops! Router now is asking for a login name. Is there a generic one that I can use? I know the PIXes use "pix" but I coudn't guess the correct one for the router.

Thanks,

Diego

no generic one that i can think of, but you can go ahead and define a username for yourself

(config)#username johndoe password password_u_choose

(config)#line vty 0 4

(config-line)#login local

if you are the only administrator....

(config)#username johndoe privilege 15 password password_u_choose

(config)#line vty 0 4

(config-line)#login local

....privilege level 15 will put you into priv exec mode (you will not have to type 'enable')

if you want to use both telnet and ssh.....

(config)#line vty 0 4

(config-line)#transport input telnet ssh

you can always take one off.

Thanks,

Diego

Using "transport input ssh" caused telnet connections to go write to the prompt without asking for password? I had to use "transport input telnet ssh" to prevent this but now the router access regular telnet and SSH. Still need to find out how to kill telnet.

Diego

the original responce that you recieved was correct in how to allow ssh only.

transport input ssh

since you said you lost connectivity, using telnet and ssh (transport input ssh telnet) provided you with an interim solution until you got your config straighten out. Afterwhich you could disable telnet .

your config should look like one of these depending on your desired objectives:

_______________________________________

to type in a username/pass combo and go straight to privilege exec

username YOUR_NAME privilege 15 password PASSWORD

enable secret WHATEVER_PRIV_EXEC_PASS

line vty 0 4

transport input ssh

login local

___________________________

*or*

to type in a username/pass combo and come in at user exec level

username YOUR_NAME password PASSWORD

enable secret WHATEVER_PRIV_EXEC_PASS

line vty 0 4

transport input ssh

login local

___________________________

*or*

terminal in and type in a "virtual terminal" access password defined for that vty line

enable secret WHATEVER_PRIV_EXEC_PASS

line vty 0 4

transport input ssh

login

password VTY_PASSWORD

____________________________

here is a very good link that should further assist you

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuration_example09186a0080204528.shtml

(note: line parameters for ssh are the same as telnet (except for using the phrase 'ssh' of course))

also

http://www.netcraftsmen.net/welcher/papers/securemgmt.html

http://www.quepublishing.com/articles/article.asp?p=102180&seqNum=4

I am sorry that you misunderstood my post. I have never lost connectivity. I am using the following commands:

username YOUR_NAME password PASSWORD

enable secret WHATEVER_PRIV_EXEC_PASS

line vty 0 4

transport input ssh

login local

When using the above commands I observe the following behavior:

1) Telneting to the router takes me DIRECTLY to the user exec prompt. No username prompt, no password prompt. Note this is telnet which shouldn't even be accepted at this point!!

2) SSH connections work as expected with username and password prompt to get to user exec prompt.

I have found that by modifying the transport command to look like this:

transport input telnet ssh

I am prompted for username with both telnet and ssh connections which is a little better but telnet still works which is not part of the desired effect.

Diego

Dear

I think you need to issue no transport input telnet after Transport input ssh

I'm not sure , but you can try

Actually, the fix was to also add the "transport input ssh" line to the other vty lines, 5-15. Doing this to vty 0 4 is not enough. Seems like telnet was coming in thru the 5-15 when 0-4 rejected it.

Thanks to all who contributed.

Diego

Unfortunately, that is not true. When you execute "show control-plane host open-ports" on the router.

You can see active telnet daemon and the router is accessible at higher telnet ports.

For example: "Telnet <int IP> 2001" will connect you.

Actually, you need a port scanner to find the opened ports but they exist!

Usually they are between 2000-11000