GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: SSH on tty ports posted 11/19/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I have tried the reverse SSH with local aaa authentication, it seem that
there is some problem with the "local-case" keyword, some how it won't get
the username and just say username not found. See the following debug for
different authentcation with local and local-case. If you change the
local-case to local, it should work. And I guess you find a bug.

"aaa authen login secure1 local" debug:

*Mar  1 08:15:47.844 HKG: AAA: parse name=tty34 idb type=-1 tty=-1
*Mar  1 08:15:47.844 HKG: AAA: name=tty34 flags=0x11 type=4 shelf=0 slot=0
adapter=0 port=34 channel=0
*Mar  1 08:15:47.848 HKG: AAA/MEMORY: create_user (0x82A54004) user='NULL'
ruser='NULL' ds0=0 port='tty34' rem_addr='192.168.1.25' authen_type=ASCII
service=LOGIN priv=1 initial_task_id='0'
*Mar  1 08:15:47.848 HKG: AAA/AUTHEN/START (1212388971): port='tty34'
list='secure1' action=LOGIN service=LOGIN
*Mar  1 08:15:47.848 HKG: AAA/AUTHEN/START (1212388971): found list secure1
*Mar  1 08:15:47.848 HKG: AAA/AUTHEN/START (1212388971): Method=LOCAL
*Mar  1 08:15:47.848 HKG: AAA/AUTHEN(1212388971): Status=GETPASS
*Mar  1 08:15:49.263 HKG: AAA/AUTHEN/CONT (1212388971): continue_login
(user='cisco')
*Mar  1 08:15:49.263 HKG: AAA/AUTHEN(1212388971): Status=GETPASS
*Mar  1 08:15:49.263 HKG: AAA/AUTHEN/CONT (1212388971): Method=LOCAL
*Mar  1 08:15:49.263 HKG: AAA/AUTHEN(1212388971): Status=PASS

"aaa authen  login secure1 local-case" debug:

*Mar  1 08:17:05.667 HKG: AAA: parse name=tty34 idb type=-1 tty=-1
*Mar  1 08:17:05.667 HKG: AAA: name=tty34 flags=0x11 type=4 shelf=0 slot=0
adapt
er=0 port=34 channel=0
*Mar  1 08:17:05.667 HKG: AAA/MEMORY: create_user (0x82A54004) user='NULL'
ruser
='NULL' ds0=0 port='tty34' rem_addr='192.168.1.25' authen_type=ASCII
service=LOG
IN priv=1 initial_task_id='0'
*Mar  1 08:17:05.667 HKG: AAA/AUTHEN/START (280937989): port='tty34'
list='secur
e1' action=LOGIN service=LOGIN
*Mar  1 08:17:05.667 HKG: AAA/AUTHEN/START (280937989): found list secure1
*Mar  1 08:17:05.671 HKG: AAA/AUTHEN/START (280937989): Method=LOCALCASE
*Mar  1 08:17:05.671 HKG: AAA/AUTHEN(280937989): User not found, end of
method l
ist
*Mar  1 08:17:05.671 HKG: AAA/AUTHEN(280937989): Status=FAIL
----- Original Message -----
From: "Stephen Wells" <stewells@xxxxxxxxxxxxxxxx>
To: <security@xxxxxxxxxxxxxx>
Sent: Monday, November 18, 2002 7:52 PM
Subject: SSH on tty ports


> I am trying to configure a tty port to allow console access to a secure
UNIX
> box using SSH w/ RADIUS authentication as the primary means of
> authentication. If my RADIUS servers are off-line I want to authenticate
via
> a local user database on the 2621 router. With SSH when I shut down access
> to my RADIUS servers I am unable to authenticate using the local user
cisco;
> however, when I use TELNET (transport input telnet on line 2033) and I
> shutdown access to my RADIUS servers I am able to authenticate and access
> the UNIX box's console using the local user cisco.
>
> Here is the config I am using (IOS v 12.2.2T):
>
> version 12.2
> no parser cache
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname r1
> !
> logging rate-limit console 10 except errors
> aaa new-model
> aaa authentication login secure1 group radius local-case
> enable secret 5 $1$7COtpoi$XFM3V5.wCoyk0sMJiFANh0
> !
> username cisco password 7 059780F1C2243
> !
> !
> memory-size iomem 10
> ip subnet-zero
> !
> !
> ip domain-name cisco1.com
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 3
> ip ssh port 2033 rotary 33 64
> no ip dhcp-client network-discovery
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface FastEthernet0/0
>  ip address 10.21.35.7 255.255.255.0
>  no shutdown
>  speed auto
>  full-duplex
> !
> interface FastEthernet0/1
>  ip address 10.21.39.7 255.255.255.0
>  no shutdown
>  speed auto
>  full-duplex
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.21.35.1
> !
> !
> snmp-server engineID local 000000090200000AF4620F40
> snmp-server community DLLATX37pblc RO
> radius-server host 10.21.48.39 auth-port 1645 acct-port 1646
> radius-server host 10.21.23.39 auth-port 1645 acct-port 1646
> radius-server retransmit 3
> radius-server timeout 60
> radius-server challenge-noecho
> radius-server key 7 120M04680B1E1F0F2F32
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> line 33
>  no exec
>  no flush-at-activation
>  login authentication secure1
>  rotary 33
>  transport input ssh
>
> ...
>
> Thanks,
>
> Steve, CCIE 7337, CISSP