[nsp] permit vty ssh, no telnet for some users ?

Bruce Pinsky bep at whack.org
Mon Apr 26 19:49:17 EDT 2004 

Sam Munzani wrote:

> How do you control your SSH will always use VTY 2 upon logon? Your SSH
> session might come on VTY 1 and may end up failed authentication.
> 


You allow only a single transport type on certain vty's using the 
"transport input" command as I showed:

 >>line vty 0
 >>  login authentication SSH-ONLY
 >>  transport input ssh
 >>line vty 1
 >>  login authentication TELNET-ONLY
 >>  transport input telnet


Here is an example of it in action (from the console of the router back to 
itself in this case):

R1#telnet 5.5.5.5
Trying 5.5.5.5 ... Open

01:31:48: TTY0: pause timer type 1 (OK)
01:31:48: TTY2: EXEC creation
01:31:48: AAA/BIND(0000000E): Bind i/f
01:31:48: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'TELNET-ONLY'
01:31:51: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'TELNET-ONLY'
01:31:53: AAA/AUTHEN/LOGIN (0000000E): Pick method list 'TELNET-ONLY'
Username:
Password:
% Authentication failed

[Connection to 5.5.5.5 closed by foreign host]
R1#
01:33:41: TTY2: Line reset by "Virtual Exec"
01:33:41: TTY2: Modem: (unknown)->READY



R1#ssh -l bep 5.5.5.5

01:32:55: TTY0: pause timer type 1 (OK)
01:32:56: AAA/BIND(0000000F): Bind i/f
01:32:56: AAA/AUTHEN/LOGIN (0000000F): Pick method list 'SSH-ONLY'
Password:
% Authentication failed.

[Connection to 5.5.5.5 closed by foreign host]
R1#
01:35:35: TTY0: resume timer type 1 (OK)
01:35:35: TTY0: no timer type 4 to destroy
01:35:35: TTY3: Line reset by "SSH Process"
01:35:35: TTY3: Modem: (unknown)->READY


Note that the telnet is on TTY2 (vty 0) and that SSH is on TTY3 (vty 1) and 
that the session on TTY2 is reset by EXEC and the session on TTY3 is reset 
by SSH Process.

And here is some more evidence that it is behaving as we expect:

(Before telnet and ssh attempts)
R1#sh line
    Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -     15       1     0/0       -
   Ready
      1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
   Ready
      2 VTY              -    -      -    -    -     11       0     0/0       -
   Ready
      3 VTY              -    -      -    -    -      3       0     0/0       -
   Ready


(after ssh and telnet attempts)
R1#sh line
    Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -     15       1     0/0       -
   Ready
      1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
   Ready
      2 VTY              -    -      -    -    -     12       0     0/0       -
   Ready
      3 VTY              -    -      -    -    -      4       0     0/0       -
   Ready


So each vty was incremented one time as you would expect.

Now simply, point each named authentication method at TAC+ instances with 
different user communities.

-- 
=========
bep

More information about the cisco-nsp mailing list