SSH Authentication

amh4y0001 · ‎11-27-2018

Hi,

I am unable to SSH Cisco 890 ISR. user /password I am sure is correct. Any thoughts?

Here is the output for the sh ip ssh

sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB-------v2qQ==

And here is partial output of the sh running:

line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 189
login local
transport input ssh
!
scheduler allocate 20000 1000

Mark Elsen · ‎11-27-2018

- The first iteration is what does unable to SSH mean ? Is there an error, if so which one, if anything else happens, then describe it.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

amh4y0001 · ‎11-27-2018

Unable to connect / authenticate.

Authentication Failed. Please retry.

Ric Beeching · ‎11-27-2018

have you configured a domain-name for the router and then generated an SSH crypto key?
e.g.
conf t
ip domain-name test.com
exit
crytpo key generate rsa
1024
end

Alternatively, check telnet works first before troubleshooting ssh:
conf t
line vty 0 4
transport input telnet ssh
end

-----------------------------
Please rate helpful / correct posts

amh4y0001 · ‎11-28-2018

Hi,

Thanks for reply.

I have confirmed that ip domain name exists and the key were generated with 1024 as well.

Checked with telnet and its failed as Login Failed.

I have created SSH user with following command:

username admin secret MySSHPassword

crypto key generate rsa : 1024

Ric Beeching · ‎11-28-2018

Can you attach the full config with sensitive info removed?

Cheers,
Ric

-----------------------------
Please rate helpful / correct posts

amh4y0001 · ‎11-28-2018

Thanks, I have attached the config.

Ric Beeching · ‎11-28-2018

Looks good as far as I know.. is it possible for a firewall to be blocking or is it connected without one? Can you ping that interface from a workstation and ping workstation from router? Basic steps I know.. other thing to check is whether port is open from PC so try a simple telnet from command prompt (need to enable service in windows) and see if that establishes a session. That helps you determine if the workstation can even reach the router on that port to begin with.

Ric

-----------------------------
Please rate helpful / correct posts

amh4y0001 · ‎11-28-2018

Hi,

I can ping the host from client and router can ping the client as well.

Its very strange that it saying invalid login. I have verified several time that I am typing user / password correctly.

Mark Elsen · ‎11-28-2018

- As a sanity check -> configure a different username and password on the device and try again,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

amh4y0001 · ‎11-29-2018

Ok, problem solved. user name was "admin" changing user name to something else did the trick. Thanks all for suggestions.

amh4y0001 · ‎11-29-2018

Perhaps should be a separate thread, but I have a 2nd router where the ISP address is via DHCP (I have not configured WAN static address). In this case, how I can SSH? Which IP Address?

amh4y0001 · ‎11-29-2018

Hi,

When we use WAN link with DHCP (no static IP), how we can SSH to it? I tried with host name but it didn't worked. An thoughts?

patoberli · ‎11-29-2018

You need to do something like this (dynamic hostname):
https://www.howtogeek.com/66438/how-to-easily-access-your-home-network-from-anywhere-with-ddns/