Refer to the exhibit. An administrator can log in to the device using Telnet, but the attempts to log in to the same device using SSH with the same credentials fail. Which action resolves this issue?
A.
Configure the VTY lines with login local.
B.
Configure transport input all on the VTY lines to allow SSH.
C.
Configure SSH service on the router.
D.
Configure to use the Telnet user database for SSH as well.
D is the best among the answers.
A - Wrong, there is mention that user is configured locally.
B - Wrong, ssh is already allowed, password prompt is presented.
C - Wrong, is already active.
D - Correct, with aaa authentication login (custom-method name) and separate VTY lines
EXAMPLE:
aaa new-model
aaa authentication login SSH enable
aaa session-id common
!
line vty 0 4
privilege level 15
transport input telnet
line vty 5 15
privilege level 15
login authentication SSH
transport input ssh
!
solution:
aaa authentication login SSH local
I needed to see this in my CML lab. Actually, both solutions worked fine:
A) adding "login local" to the vty configuration
and
Zizu007's solution using AAA.
The main thing was to instruct the router to use the local user database this or that way.
For this, a local user was created, e.g. username admin password cisco
As a solution with AAA is not listed, I choose answer "A".
Working solutions:
- Authentication against local user database:
username admin password cisco
line vty 0 4
transport input telnet ssh
login local
or
-AAA:
username admin password cisco
aaa new-model
aaa authentication login default local
aaa authorization exec default local
Result:
cisco@PC1:~$ ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 [email protected]
R1>
First, the same error message from the output needed to be generated to see that we catch the same issue:
MY config: transport input all + login:
cisco@PC1:~$ ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 [email protected]
*
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Connection closed by 192.168.1.1 port 22
cisco@PC1:~$
(both passwords under vty config and from local user config produced this same error message)
My config:
R1(config-line)#do sh run | sec line vty
line vty 0 4
password telnet
login
transport input all
R1(config-line)#
R1#sh run | i username
username admin password 0 cisco
R1#
Then my config: transport input telnet + login local => different error:
cisco@PC1:~$ ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 [email protected]
kex_exchange_identification: Connection closed by remote host
Connection closed by 192.168.1.1 port 22
cisco@PC1:~$
I will go with A for this Answer, even considering that user is configured locally we can expect the same error from telnet and SSH and in D you must use aaa authentication login default local. BTW, I was checking other sites and suggest A as the right answer.
Sure! SSH needs a password, but also a username. The example clearly states that telnet only used a password, ssh can not work with only a password so it fails. By specifying "login local", you will use the local user database, if there is a user configured, SSH can authenticate using the username+password set.
By the way, on the output we can see that the successful telnet connection did not use the local user either. No user needed to be entered for the authentication. It only used the password from the vty configuration.
If we make telnet and ssh to use the local user then both username and password need to be entered for the login. For telnet, username is asked first:
cisco@PC1:~$ telnet 192.168.1.1
Connected to 192.168.1.1
Entering character mode
Escape character is '^]'.
User Access Verification
Username:
upvoted 2 times
...
...
This section is not available anymore. Please use the main Exam Page.300-410 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Zizu007
Highly Voted 2 years, 3 months agoHungarianDish_111
Highly Voted 1 year, 11 months agoHungarianDish_111
1 year, 11 months agoHungarianDish_111
1 year, 11 months agoHungarianDish_111
1 year, 11 months agoHungarianDish_111
1 year, 11 months agodeech
Most Recent 1 month ago[Removed]
9 months, 1 week agodapardo
11 months, 2 weeks agoZamanR
1 year, 4 months agointeldarvid
1 year, 9 months agoPietjeplukgeluk
1 year, 2 months agoDenskyDen
1 year, 10 months agoHungarianDish_111
1 year, 11 months agoHungarianDish_111
1 year, 11 months ago