Ethernet Switches & Routers

Reply
TD
Occasional Contributor
Posts: 14
Registered: ‎01-05-2012

Gaining access via SSH

Hello,

      I have a FESX448 and FESX424 switch in my network. I have enabled SSH on these devices and wish to access them using SSH. When I SSH to the devices via putty I get a login prompt but when I add my user account and password it does not work. The account is local to the device not AAA. I also have a super-user password set up on the devices, so when I telnet to the device, I am logged right in. We have to disable telnet but before we do that, I need to make sure SSH is working. It seems it is not looking at the usernames I have created on the switch. Can someone help?

Regards

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Gaining access via SSH

Hi TD,

     You must tell the switch you want to use the local database.

from config term level 'aaa authentication login default local'

Also may want to setup these too;

'aaa authentication snmp-server default local'
'aaa authentication web-server default local'

If you want a time out on the ssh session then use

'ip ssh idle-time 10'
idle-time is in minutes.

Thanks

Michael.

TD
Occasional Contributor
Posts: 14
Registered: ‎01-05-2012

Re: Gaining access via SSH

Thanks! I did perform those commands earlier and it work. One thing though, when I acces the device via the web, it let me straight into the device without asking for a username and password. Is this because I still have the enable super-user password configured in the cli. If I delete that command will the device use the local usernames and passwords?

Regards

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Gaining access via SSH

Hi TD,

     Can you confirm that you entered the 'aaa authentication web-server default local' command?  The fefault is to use the snmp read community with this command if should now ask for username and password.

Also you may want to lock it down a bit better with;

web-management https
web-management enable vlan xx

Thanks

Michael.

TD
Occasional Contributor
Posts: 14
Registered: ‎01-05-2012

Re: Gaining access via SSH

Hello,

       Yes I did apply that command but when I access the switch via IE, it takes me right in with no prompting of a password. Do I have to take off take out the "enable super user passord" command so that it will use only the locall accounts that I created.

Regards

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Gaining access via SSH

Hi TD,

     No there is no need to remove the enable super user password (this is only used when you type enable when SSH/telneting or console on the box) - in fact I would recommend that every switch should have the enable password set.

     Can you post the config of the switch (hide what you need to hide)?

Thanks

Michael.

TD
Occasional Contributor
Posts: 14
Registered: ‎01-05-2012

Re: Gaining access via SSH

I got it to work! Thanks for your help, but now I have another problem. We are trying to gain access to our devices via SSH. I have created the keys (crypto key generate rsa), configured our domain name and created local user accounts on the switches. When I telnet to these devices, I get in with no problem using the local accounts. When I SSH to the devices via Putty, I get the login prompt, type username and password, and get a Putty Fatal error "Server sent disconnect message type 11 (by application): "To many password authentication attempts from user". I know the username and password is good because I can get in using telnet. Once we get SSH to work we will be disabling telnet all together.

Regards

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Gaining access via SSH

Hi TD,

     Please try the following;

    'crypto key zeroize' -- this iwill wipe the key you have generated

    'crypto key generate' (dropping the RSA keyword) -- this should get you a key pair that works with putty

     I have not used the RSA keyword in years (and it has disappeared in newer releases of code for the FastIrons)

Thanks

Michael.

Message was edited by: mschipp

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Gaining access via SSH

Hi TD,

     Ok looking at further, I see you have the following code.

FESX448 SW: 03.0.01cT3e3      SSH2 only

FESX424 SW: 02.2.00Te1          SSH1/1.5 only

FES9604 SW: 03.6.00aTc1        SSH2 only - I think

I would recommanded that you get the FESX boxes to the same level of code - at least 03.0.01c. SSH version 1 and 1.5  used RSA SSHv2 used AES.

SSHv1/1.5 has a well known security issue (like Telnet)

Thanks

Michael.

TD
Occasional Contributor
Posts: 14
Registered: ‎01-05-2012

Re: Gaining access via SSH

Great. We are trying to get a service contract in place so that we can download different firmware. I wil try what you said and see if that works.

Regards,

TD

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.