SSH works without AAA

I was always under impression that you have to configure AAA (even if you have local passwords) if you want to use SSH on a Cisco router. Based on the comment made by shef I tried various options and found out that SSH works without AAA (at least in IOS releases 12.4 and 12.2SRC). In both cases, you can configure AAA authentication (using AAA servers or local passwords) or local username/password authentication (you can also use enhanced password security).

This is the minimum configuration needed to support inbound SSH sessions on a router (you might want to add transport input ssh to the line configuration if you want to disable telnet access to the router):
hostname name
!
ip domain-name name
!
crypto key generate rsa
!
! define local usernames, use passwords or secrets
!
username a password b
username x secret y
!
ip ssh version 2
!
line vty 0 4
 login local

13 comments:

  1. According to Cisco (CCNP ISCW), you also need a hostname defined to enable SSH.

    I'd validate but I don't have a router handy right now.

    ReplyDelete
  2. You're absolutely right; you need a hostname, otherwise the router cannot generate the certificate with the RSA keys. Stupid me ... I always use the hostname, so I've simply skipped it. Fixed the post.

    ReplyDelete
  3. 8192K bytes of Flash internal SIMM (Sector size 256K).

    --- System Configuration Dialog ---

    Would you like to enter the initial configuration dialog? [yes/no]:
    % Please answer 'yes' or 'no'.
    Would you like to enter the initial configuration dialog? [yes/no]: no


    Press RETURN to get started!

    sslinit fn

    *Aug 14 20:49:32.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
    *Aug 14 20:49:32.679: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to down
    *Aug 14 20:49:32.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface IPv6-mpls, changed state to up
    *Aug 14 20:49:33.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
    *Aug 14 20:50:22.895: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
    *Aug 14 20:50:30.231: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(21), RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2008 by Cisco Systems, Inc.
    Compiled Thu 10-Jul-08 11:36 by prod_rel_team
    *Aug 14 20:50:30.323: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa0/0 Physical Port Administrative State Down
    *Aug 14 20:50:30.635: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
    Router>en
    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#crypto key generate rsa usage-keys label Router modulus 2048
    The name for the keys will be: Router

    % The key modulus size is 2048 bits
    % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
    % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

    *Aug 14 20:53:06.483: %SSH-5-ENABLED: SSH 1.99 has been enabled
    Router(config)#

    ReplyDelete
  4. Ahh ... a little bit of consistency would be so refreshing :)

    ReplyDelete
  5. Hi, All!

    Is it possible to substitute username and password with RSA keys when I use SSH on cisco routers?

    ReplyDelete
  6. YES, AAA requires you to use two factor authentication so its not an option. You can use either "login local" or "AAA." Personally, I am going to use AAA because it can authenticate against local AND group (TACACS+) accounts. However, I looked at three Cisco white papers and all of them did a poor job of explaining how to make AAA work with local database accounts. I finally found my answer on this site.

    ReplyDelete
  7. I'm also interested in knowing if it is possible to automate login to cisco devices, for ex. not using passwords but ssh keys, like in linux.

    ReplyDelete
  8. @Anonymous#3: No. IOS supports only username/password authentication.

    ReplyDelete
  9. user's secrets work but not 'passwords' :-$

    ReplyDelete
  10. Where does the key get stored? NVRAM?

    We've noticed, just pasting the same config into a new router, SSH is not enabled, you have to re-generate the key. I was wondering if there was a way to save everything to swap out the router.

    ReplyDelete
  11. Ivan Pepelnjak09 March, 2010 11:36

    Private keys are usually stored in protected part of the NVRAM and cannot be transferred to another device; that's why it's so important to create an exportable key and export it to an external location when deploying SSH or certificates on a router.

    ReplyDelete
  12. Can SSH works without local username & AAA, but only with "password" config under "line vty 0 4" ?

    ReplyDelete
  13. you can use the "login local" command after the "vty line x x" command

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.