Rescue CD/distribution that enables ssh/telnet on boot?

Similar Messages

• Setting VTY lines for SSH % Telnet only

  Hello,
  First off I apologize if this is the wrong section to post in or if there has already been a thread made for this particular problem however I've yet to find a solution that works.
  I am configuring a 1841 router running IOS Version 12.4(15)T1
  I am trying to set the vty lines to accept only telnet and ssh connections.
  I am using these commands:
  R1(config)# line vty 0 15
  R1(config-line)# password ciscovtypass
  R1(config-line)# login local
  R1(config-line)#transport input telnet ssh
  When I enter the "transport input telnet ssh" , I receive the error "Invalid input detected at '^' marker" and points to the word ssh.  I can successfully use "transport input telnet" and "transport input ssh" by themselves, however when I try to set them both on the same line is when i get the error.  And setting them both one after another overwrites the previous.  Any help would be much appreciated, thanks. 

  The suggestion from Leo would certainly allow both telnet and SSH. But it also allows some other protocols (they are not common in today's networking environment - but the original question was quite specific that they want to allow only 2 protocols and not all protocols). So let us look for answers that may help Michael.
  My first thought was to wonder if SSH has been fully enabled and whether this might be a factor in the problem. Michael indicates that transport input ssh works ok and that seems to indicate that enabling SSH is not the issue. But I would still feel better if Michael would post the output of show ip ssh
  I wonder if there is an order dependency in which one of the protocols must be entered first. I suggest trying this
  line vty 0 15
  transport input telnet ?
  and
  transport input ssh ?
  and see if one of them indicates that the other protocol is an option.
  HTH
  Rick

• Enabling SSH and disabling Telnet

  I am trying to enable SSH on a 3560G switch so I can disable Telnet.
  Some have mentioned to do an "sh ssh" to see if I have ssh on the switch. It doesn't show. I also have done "transport input ssh" and ssh isn't a valid input method.
  So I decided to upgrade the IOS on the switch. I am now at 12.2(52) SE.
  But I still cannot configure SSH. I get the same results as mentioned above.
  Since this is the latest version of IOS can I not assume that it contains SSH? Or do I need to download a different version of IOS that specifically has SSH in it?
  Thanks for your help

  Yup, you need a K9/CRYPTO image, e.g:
  c3560-ipservicesk9-mz.122-52.SE.bin
  You can use the feature nagivator to search for images with 'Secure Shell' support:
  www.cisco.com/go/fn
  It can be either .tar or .bin does not matter. The .tar image includes the web-gui files (alongwith the .bin IOS image) and does not affect the SSH capability.
  Regards
  Farrukh

• Enabling SSH on SG300-20

  I had some issues with this, and was not able to find an answer in the help or searching the web. In order to help the next person, here are the instructions:
  I have a brand new SG 300-20 switch, and I am attempting to add ssh to the login capabilities.
  Using the web interface I have enabled SSH Service in the Security-TCP/UDP Services.
  I am not able to access ssh, port scans (nmap) also do not show port 22 open.
  The missing key is the generation of SSH crypto keys.
  1. Using the web interface enabled telnet in the Security-TCP/UDP Services section
  2. Log in via telnet
  3. Traverse tree to : System Configuration Menu - Management Settings - SSH Configuration - SSH Crypto Key Generation
  4. Choose the Execute action.
  That's it.
  ssh away !

  Hi
  I used your method to generate a RSA key.
  I gotta say when i had a look at the algorithm used, as per the screen capture below.
  I saw AES256 with Cipher block chaining.. sure looks pretty darn secure.
  US government standards body produced the following;
  http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
  According to section 2 of that document i am pretty happy  and not concerned, cipher block chaining of AES-256.
  This is very strong encryption..
  I have attached a SSH wireshark capture of my SSH exchange between my PC and my SG300-10P
  If you get can figure my userid, i will absolutely forward this posting to the Cisco Small Business Switch Product management team for immediate action .
  regards Dave

• Enabling ssh with a startup config or similar?

  Hello,
  Im am currently testing the new features of IOS 12.2 55 SE1 called "Smart Install".
  I got it working even though it still has many issues but that's probably because it is a very new functionality.
  Anyways, we are using it currently in a lab-environment to test the "zero-touch" replacement of defective Switches. In that case the Director of the SI Network knows what config the defective Switch has saved last.
  It then uses that exact config to deploy to the replaced switch as a startup config.
  For Security Reasons we have the command "transport input ssh" on all lines enabled. (Makes sense if you want to shut out telnet).
  Now, when the new Switch receives the IOS Update (which is also delievered in Smart Install) and therefore reboots, it now uses our startup config.
  With the above mentioned command "transport input ssh" on the lines, we have no way of connecting to the newly replaced switch.
  "Crypto keys cannot be generated on startup" is the message I see on the Serial-Console output.
  Has anyone got an idea how we could work around this?
  Is there a way to tell a switch he has to generate an rsa certificate to enable ssh without "touching" it?
  I know that with the command "transport input all" this issue would not be an issue, but that is not an option for a possible productive Release. Since we are using a config of a switch that was running productively, the running config cannot allow telnet to be used..
  I have asked Google, used this forum's search functionality and found nothing. I am absolutely sure though, that this is an issue many Cisco Users have to work with, so I was suprised not to find anything.
  Details of our lab:
  Director Switch: C3560 with IOS 12.2 55 SE1
  Client Switch (to be replaced): C2960 IOS 12.2 55 SE1
  Both have the crypto-image installed.

  Hello Richard,
  Thanks for your answer.
  Smart Install gets the config to the new switch by telnet. Since a factory-new Switch can do telnet, the initial config comes from the director. It connects to the switch over a non-standard telnet port and issues the copy command to get the startup config from the tftp server. After that it does the same with the IOS. We can't really do anything because every interaction with the new switch stops the smartinstall process.
  In your desscribed solution (I will test it later this week) it could be a working solution for deploying new switches.
  In my Scenario however there currently seems to be no way to enable ssh when the startup config is the last known configuration from the switch that died, beacuse this startup config we cannot manually edit (it would defeat the purpose of this feature), since it is backed up by the director and the logic of deciding wheter or not this config is to be used runs on the director.
  I am in contact with "our guys" from cisco, and they are trying to get feedback from the developer team of this feature. I will keep testing new releases for this issue and will report any progress.

• QoS: Locally sourced SSH/Telnet/...

  Doing some packet sniffing at the moment. I noticed that SSH/Telnet packets that are returning from Cisco Catalyst 3750 switches and Cisco 2800 routers are being marked with CS6. I was aware about Control Plane protocols that mark traffic with CS6/CS7, like IP Routing Protocols, STP, NHRP and others. Haven't heard anything about SSH/Telnet though. Those belong to Management Plane. Have googled for hours to find any Cisco document with the full list of protocols and how those are being marked (CS6/CS7) if sourced locally. Found nothing.
  Anyone to spill the bins?
  Much appreciate

  Thanks for your input... Although it haven't made it clear
  Here's my config
  C3750#sh run all | inc ip.ssh|ip.telnet
  ip ssh time-out 120
  ip ssh authentication-retries 5
  ip ssh break-string ~break
  ip ssh dh min size 1024
  C3750(config)#ip ssh dscp ?
    <0-63>  ip dscp value (default value 0 )
  Looks odd to me. As I said, Wireshark displays all returning SSH frames (that is, originated on switch) with 802.1p = 6 and DSCP = CS6. The output above states the default value has to be 0, and I don't have any commands that rewrite the default behaviour.
  I have QoS enabled on the switch (mls qos) with relevant maps created. I do not have any QoS policies for the locally originated traffic in place (i.e. ip policy globall command).
  Strange

• Is there any way to enable SSH via Terminal in the OSX Installer utility list?

  Hi guys, I've messed up my install a little on my internal HDD.. I can't boot into OSX as I keep getting kernel panics on boot. I was just wondering if there's any way I can SSH into my Mac Pro via the Terminal on the OSX Installer Utilities list.. I have a Macbook Pro to SSH from but I need a way to enable SSH via that Terminal "-bash-3.2#"..
  I've tried to use the systemsetup -setremotelogin on command but I know SSH requires login keys and as I have no idea what can be used as those keys for the OSX Installer version of Terminal I have no idea how I can enable SSH..
  Tried some sudo commands but as I guess it runs at a completely different level to sudo it won't actually recognise the sudo command..
  Any help would be greatly appreciated guys, if you need me to post any info or results to help then just let me know.
  Thanks alot
  Chris

  If your Mac cannot boot to the OS X installation then you will not be able to set up the SSH (Remote Login) sharing service. The OS X installer does not support any of the system's sharing services. Technically it does have the sshd daemon (server process) that you can set up to accept a connection; however, this will not give you any additional benefit.
  The only reason to SSH into the system would be to get to the Terminal command prompt anyway, which is available when you boot to the Recovery HD partition and choose Terminal from the Utilities menu. If you were to set up SSH and log in, you would still only have the functionality provided by the Terminal in the Utilities menu, and not have access to your Mac's full OS installation.

• How to enable rsh/telnet/rlogin

  Hi Followed the instructions at:
  http://docs.info.apple.com/article.html?artnum=106274
  to enable rsh/telnet/rlogin services, and restarted the
  machine (MacBook Pro, OS X 1.4, Darwin Kernel Version 8.6.1).
  Still I can't remotely do telnet/rsh/rlogin to the mac
  (get conenction refused error) from a Unix machine.
  Could someone tell me how to enable these services
  (right now ssh is the only one enabled by default,
  the machine is within a firewall, and for some applications,
  we need to enable rsh/rlgoin/telnet/ftp etc).
  Thanks.
  Macbook Pro   Mac OS X (10.4)  

  Hi Followed the instructions at:
  ttp://docs.info.apple.com/article.html?artnum=106274
  to enable rsh/telnet/rlogin services, and restarted
  the
  machine (MacBook Pro, OS X 1.4, Darwin Kernel Version
  8.6.1).
  Still I can't remotely do telnet/rsh/rlogin to the
  mac
  (get conenction refused error) from a Unix machine.
  If your firewall is activated
  then you have to add 3 new filter rules:<pre>
  Port Name: Other
  TCP Port Number(s): 514
  UDP Port Number(s):
  Description: rsh
  Port Name: Other
  TCP Port Number(s): 513
  UDP Port Number(s):
  Description: rlogin
  Port Name: Other
  TCP Port Number(s): 23
  UDP Port Number(s):
  Description: telnet
  </pre>
  You don't have to restart your Mac or your session.
  You could test it pretty quickly by doing a:<pre>
  telnet localhost
  rlogin localhost
  rsh localhost pwd
  </pre>
  dan    

• Enabling SSH user equivalence resets umask to 0077

  Hi,
  I'm about to install Oracle 10g RAC on Red Hat Linux AS/ES 40 update 2. While configuring Secure Shell I noticed that after I enabled SSH user equivalence, umask gets changed from 022 to 077. Guess I could change umask to 022 before installing the software but is this supposed to happen?
  Thanks,

  I noticed umask had changed to 077 when I enabled user equivalence to log into a remote server without having to enter a password.
  $ umask
  0022
  $ /usr/bin/ssh-agent $SHELL
  $ /usr/bin/ssh-add
  Enter passphrase for /home/oracle/.ssh/id_rsa:
  Identity added: /home/oracle/.ssh/id_rsa (/home/oracle/.ssh/id_rsa)
  Identity added: /home/oracle/.ssh/id_dsa (/home/oracle/.ssh/id_dsa)
  $ umask
  0077

• How step by step enable ssh service in switch small bussines?

  HI,
  I upgraded Firmware on switch smallbussines 200, but I don't know how enable SSH.
  Could somebody step by step how will do that?

  Hi,
  with SSH you can't connect by web browser, you can only connect to the cli.
  If you want more security with your web browser enable https as shown in my first screen.
  In your SSH configuration you set up an SSH user and password, is that the correct method you try to connect?
  the more easiest way to connect is with an rsa public key, so server and client exchange the keys by themselves.
  To do so, look at my second screen. Sry but i have only an sf302-08 for showing purposes, so i used your screen and marked the steps.
  1. Delete the RSA und DSA key by marking them and klick on delete
  2. Mark as user authentication "by RSA public key" and klick on apply
  3. check the TCP/UDP services, SSH must be enabled manually (screen1)
  4. reboot the switch
  Now try to connect to the switch by putty or another ssh capable switch.
  regards

• ASA ssh,telnet.jar smart tunnels problems

  Hi
  From my asa I'm trying to gain access to some servers Linux (no local firewalls on them) from the clientless session using the ssh,telnet jar plugin.
  The plugin starts and shows the login prompt and then I enter the correct user name and passwords and then I'm left with a black square.
  Any suggestions for debugging?
  ASA runnig 9.1, the problem is to both Linux boxes and a IOS router.

  On testing the above even further, I seem to have an issue...
  With the following configuration loaded...
  aaa-server TLS-ACS5 protocol tacacs+
  aaa-server TLS-ACS5 (inside) host 10.0.20.200
  key passme123
  aaa authentication ssh console TLS-ACS5 LOCAL
  aaa authentication telnet console TLS-ACS5 LOCAL
  aaa authentication ssh console TLS-ACS5 LOCAL
  aaa authentication telnet console TLS-ACS5 LOCAL
  aaa authentication enable console TLS-ACS5 LOCAL
  With the PIX in communication with the ACS the above works well, with me successfully logging in with credentials added to the ACS.
  On testing this further I have taken the link down between the PIX and the ACS (to recreate a failure scenario).  I can still login using the internal (LOCAL) username & password.  This seems to work fine, however if I try to access the exec-privilege mode (i.e. enable) the PIX does not except the enable password added to the configuration moreover it prefers the same password used for creating the initial user.
  username admin-user password adminpass123 encrypted
  enable password enablepass123 encrypted
  For example; with the above lines in the running configuration of the PIX , I can login into PIX using admin-user and enter the password adminpass123. However, if I try and then go onto access exec-privilege mode (i.e. enable) the PIX does not except the password "enablepass123" put does except "adminpass123"... this is even with "aaa authentication enable console TLS-ACS5 LOCAL" added to the running configuration.
  Has anyone else seen this issue on a PIX/FW. Am I missing something from my configuration? Does anyone know of a workaround to this issue or is it just something I have to live with?

• CiscoWorks:Archieve configurations of routers/switches with only ssh/telnet

  Hi,
  I want to do the archieve configurations of couple of routers/switches with only ssh/telnet and rest thousands of devices will be via snmp.
  Currently I am backing up the configurations of thoudands of  routers/switches via snmp, as snmp is configured on them, but couple of routers/switches are external and snmp is not configured on them so I want to get their configuration via ssh/telnet only.
  Please advise me that is it possible to do the archieve configurations of routers/switches with only ssh/telnet?
  I am using the
  LMS: 1.2.0
  RME: 4.3.0
  CS:    3.3.0
  CM:   5.2.1
  DFM: 3.2.0
  Thanks

  The config archive protocol order applies to all devices universally.  Since you are using TFTP for most of your devices, I recommend you leave TFTP at the top of the protocol order list.  Add TELNET and SSH below TFTP.  The external devices will be attempted with SNMP/TFTP, but those operations will fail.  RME will then fall back to TELNET then to SSH.  It will eventually fetch the configuration successfully.

• Ssh, telnet, ftp & tftp services stop working

  I have a new SunV245 running Solaris 9 that when I start the server up everything works good, but after 8-12 hours the network type services quit working (ssh, telnet, ftp, & tftp) however I can still ping the interfaces so the network is there. I reboot and everything starts working again. Has anyone seen this before? Is there some kind of power save option that could be shutting the inetd type services down?

  Cat and Maximo,
  > Let me try to get that straight. Your BM does static NAT for your
  > mailserver (and other boxes), and suddenly UDP and ICMP from these
  > natted servers through the BM still works, but TCP doesn't?
  Yes. That's what it looks like.
  > Can you still do TCP *to* the BM from the natted devices when that
  > happens? As you say your proxy continues to work, it sounds as if TCP in
  > general on the server continues to work, but does it also work from the
  > mailserver?
  Everyone browsing via BM proxy continues with no interuption.
  The mail server can telnet to any other server on the internal LAN but
  nothing past BM. DNS continues working for the mail server too.
  > If really nothing changed, this might be a (succesful) DOS attack of
  > some sort. I wonder if a LAN trace could reveal anything of interest.
  Do you mean port scan the BM server?
  I know that "nothing has changed" is a loaded statement. The only thing
  (that I know of) that has changed relatively recently is the addition of
  the Squid server. It has been running behind the BM server for about 3
  weeks. Recently I added a filter exception allowing the Squid server to
  access higher ports (dyn/tcp).
  But, as I noted before, I think removing ipflt should eliminate any
  doubts there. Is there some way Squid could be corrupting something there?
  The problem was compounded this morning (saturday). I came in today so I
  would have the network essentially to myself. But, to my surprise,
  everything was ok.
  Cat, You're right. This server is no spring chicken. It is an IBM
  Netfinity 3000. Its probably 3 or 4 years old (maybe more). I will think
  about this as a hardware problem but I just wish the thing would die
  altogether and get it over with. :o)
  Thanks,
  Brian

• Not able to enable SSH user equivalency for RAC on RHEL 4

  Hi All,
  I am trying to install oracle RAC 11g on RHEL4 (on VMware), I am using below document for reference.
  http://www.oracle-base.com/articles/11g/OracleDB11gR1RACInstallationOnOEL5UsingVMware.php
  Every thing went fine till "SSH user equivalency", but I am not able to SSH and SCP between servers without entering passwords.
  I have tried removing .ssh folder & recreating pub file twice but it did not helped.
  am i missing something?
  Please advice.
  Thanks,
  Abhay.

  Configure SSH on each node in the cluster. Log in as the "oracle" user and perform the following tasks on each node.
  su - oracle
  mkdir ~/.ssh
  chmod 700 ~/.ssh
  /usr/bin/ssh-keygen -t rsa # Accept the default settings.
  The RSA public key is written to the ~/.ssh/id_rsa.pub file and the private key to the ~/.ssh/id_rsa file.
  Log in as the "*oracle*" user on RAC1, generate an "authorized_keys" file on RAC1 and copy it to RAC2 using the following commands.
  su - oracle
  cd ~/.ssh
  cat id_rsa.pub >> authorized_keys
  scp authorized_keys rac2:/home/oracle/.ssh/
  Next, log in as the "oracle" user on RAC2 and perform the following commands.
  su - oracle
  cd ~/.ssh
  cat id_rsa.pub >> authorized_keys
  scp authorized_keys rac1:/home/oracle/.ssh/
  The "authorized_keys" file on both servers now contains the public keys generated on all RAC nodes.
  To enable SSH user equivalency on the cluster member nodes issue the following commands on each node.
  ssh rac1 date
  ssh rac2 date
  ssh rac1.localdomain date
  ssh rac2.localdomain date
  exec /usr/bin/ssh-agent $SHELL
  /usr/bin/ssh-add
  You should now be able to SSH and SCP between servers without entering passwords.
  hope, this may helps you.
  enjoy.
  if you are unable to resolve it, please refer:-
  http://download.oracle.com/docs/cd/B28359_01/rac.111/b28252/preparing.htm#BGBBDHIB
  http://dsstos. blogspot.com/2009/03/linux-oracle-rac-and-bonding-conundrum.html

• I am working with iPhoto 9.  When I choose a layout that enables me to write something, the print is so small I cannot read it.  How do I enlarge the print so I can correct mistakes.

  I am making an iPhoto Book in iPHoto 9.  When I choose a layout that enables me to write something the print is so small that I cannot see what I have written to correct any errors.  How can I make this print larger?

  In the lower menu bar click the Settings icon. You will see all the fonts and sizes for different locations for typing there.