SSH works without AAA

I was always under impression that you have to configure AAA (even if you have local passwords) if you want to use SSH on a Cisco router. Based on the comment made by shef I tried various options and found out that SSH works without AAA (at least in IOS releases 12.4 and 12.2SRC). In both cases, you can configure AAA authentication (using AAA servers or local passwords) or local username/password authentication (you can also use enhanced password security).

This is the minimum configuration needed to support inbound SSH sessions on a router (you might want to add transport input ssh to the line configuration if you want to disable telnet access to the router):
hostname name
!
ip domain-name name
!
crypto key generate rsa
!
! define local usernames, use passwords or secrets
!
username a password b
username x secret y
!
ip ssh version 2
!
line vty 0 4
 login local

Recent posts in the same categories

13 comments:

  1. Mao 10 August 2008 19:42
    According to Cisco (CCNP ISCW), you also need a hostname defined to enable SSH.

    I'd validate but I don't have a router handy right now.
  2. Ivan Pepelnjak 10 August 2008 20:09
    You're absolutely right; you need a hostname, otherwise the router cannot generate the certificate with the RSA keys. Stupid me ... I always use the hostname, so I've simply skipped it. Fixed the post.
  3. Anonymous 14 August 2008 20:55
    8192K bytes of Flash internal SIMM (Sector size 256K).

    --- System Configuration Dialog ---

    Would you like to enter the initial configuration dialog? [yes/no]:
    % Please answer 'yes' or 'no'.
    Would you like to enter the initial configuration dialog? [yes/no]: no


    Press RETURN to get started!

    sslinit fn

    *Aug 14 20:49:32.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
    *Aug 14 20:49:32.679: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to down
    *Aug 14 20:49:32.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface IPv6-mpls, changed state to up
    *Aug 14 20:49:33.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
    *Aug 14 20:50:22.895: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
    *Aug 14 20:50:30.231: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version 12.4(21), RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2008 by Cisco Systems, Inc.
    Compiled Thu 10-Jul-08 11:36 by prod_rel_team
    *Aug 14 20:50:30.323: %ENTITY_ALARM-6-INFO: ASSERT INFO Fa0/0 Physical Port Administrative State Down
    *Aug 14 20:50:30.635: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
    Router>en
    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#crypto key generate rsa usage-keys label Router modulus 2048
    The name for the keys will be: Router

    % The key modulus size is 2048 bits
    % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
    % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

    *Aug 14 20:53:06.483: %SSH-5-ENABLED: SSH 1.99 has been enabled
    Router(config)#
  4. Ivan Pepelnjak 22 August 2008 18:22
    Ahh ... a little bit of consistency would be so refreshing :)
  5. Anonymous 30 August 2008 14:09
    Hi, All!

    Is it possible to substitute username and password with RSA keys when I use SSH on cisco routers?
  6. Anonymous 07 October 2008 17:28
    YES, AAA requires you to use two factor authentication so its not an option. You can use either "login local" or "AAA." Personally, I am going to use AAA because it can authenticate against local AND group (TACACS+) accounts. However, I looked at three Cisco white papers and all of them did a poor job of explaining how to make AAA work with local database accounts. I finally found my answer on this site.
  7. Anonymous 12 May 2009 14:00
    I'm also interested in knowing if it is possible to automate login to cisco devices, for ex. not using passwords but ssh keys, like in linux.
  8. Ivan Pepelnjak 12 May 2009 19:08
    @Anonymous#3: No. IOS supports only username/password authentication.
  9. Asiri 04 November 2009 01:50
    user's secrets work but not 'passwords' :-$
  10. Mel Chandler 08 March 2010 23:32
    Where does the key get stored? NVRAM?

    We've noticed, just pasting the same config into a new router, SSH is not enabled, you have to re-generate the key. I was wondering if there was a way to save everything to swap out the router.
  11. Ivan Pepelnjak 09 March 2010 11:36
    Private keys are usually stored in protected part of the NVRAM and cannot be transferred to another device; that's why it's so important to create an exportable key and export it to an external location when deploying SSH or certificates on a router.
  12. Anonymous 17 May 2010 09:23
    Can SSH works without local username & AAA, but only with "password" config under "line vty 0 4" ?
  13. Anonymous 21 May 2011 22:04
    you can use the "login local" command after the "vty line x x" command
Add comment
Home
Sidebar