Solved Hi guys, can you please help me with some confusion about setting up for SSH?

---

Hi guys, can you please help me with some confusion about setting up for SSH? I recently went through your CCENT video of Basic Switch Configuration for the fourth time. This time, as I did, I built a spreadsheet detailing each step nessesary to do a basic switch config, and as usual (just for me that is) I ran into some confusion at this command right here:

(config)#username admin priv 15 secret XXXXXXX

Now the privilege level seems makes it clear that it is the same level of privilege as the enable password.

But in our production machines when we log into our devices on SSH we get logged in with a unprivileged mode password and then get into the privileged mode with the enable password.

So this leaves me confused. Is the password in the above command our enable password, or is it our unprivileged mode password that allows us to log into SSH?

I hope this question makes sense. For me it was hard to even figure out how to present it.

@LARRY-MILLER-2,

For an SSH connection:

1. Configure hostname and domain name (set hostname and domain name for certificate)
2. Configure enable password (to get access to privileged mode)
3. Configure a login (username/password)
4. Configure crypto with a minimum of 1024 bit modulus
5. Configure SSH version 2 only
6. Configure vty lines to use the local username/password database
7. Configure vty access to SSH only.

Steps 2 and 3. Note the difference here, step 2 is for the level of access (similar to permission level) Step 3 is for WHO can access (authorization) setting the privilege level doesn't mean that an enable password has been set for access.

Switch>enable
Switch#config
Switch(config)# hostname SW1
Switch(config)#ip domain-name itpro.tv
SW1(config)#enable secret ciscosec
SW1(config#username Ronnie privilege level 15 secret cisco123

SW1(config)#crypto key generate rsa 1024
SW1(config)#ssh version 2

SW1(config)#line vty 0 15
SW1(config-line)#login local
SW1(config-line)#transport input ssh

Let me know if you have any more questions!

Wow Ronnie I sure feel dumb, because I am just not getting it. Let me try asking the question a different way. Below is a section of a script I have been Putting together as I follow along in your video. As you can see, when I start to build the switch the fifth command I send is to set the enable password. In this case I called it Ronnie. Because it's the mother of all passwords on the switch right?

Right after that I do the login passwords for the Console and VTY lines. I call them Ron,

Then here comes the part I have the confusion with.

As you look through this script we put together, and take into considering the other passwords in this script, which password fits in to the SSH area right near the bottom of this cut and paste? Is it my enable password, or my console and tty password?

Please take a quick glance below, and thank you again Ronnie for helping me :

config t
hostname Campus_Bld_Room_SW
!
int vlan 1
ip address 10.10.XX.XX 255.255.255.0
!
no shut
exit
!
ip default gateway 10.10.XX.XX
!
enable secret Ronnie
!
line console 0
password Don
login
exit
!
line vty 0 15
Config-line)# password Don
Config-line)# login
exit
!
config t
console 0
logging sychronous
exit
!
!
!
ip domain-name xxxxxxx.edu
aaa new-model
username admin priv 15 secret is it Ronnie or Don?
!
crypto key gen rsa
1024
!
transport input ssh
!

@LARRY-MILLER-2 said in Hi guys, can you please help me with some confusion about setting up for SSH?:

Wow Ronnie I sure feel dumb, because I am just not getting it. Let me try asking the question a different way. Below is a section of a script I have been Putting together as I follow along in your video. As you can see, when I start to build the switch the fifth command I send is to set the enable password. In this case I called it Ronnie. Because it's the mother of all passwords on the switch right?

Right after that I do the login passwords for the Console and VTY lines. I call them Ron,

Then here comes the part I have the confusion with.

As you look through this script we put together, and take into considering the other passwords in this script, which password fits in to the SSH area right near the bottom of this cut and paste? Is it my enable password, or my console and tty password?

Please take a quick glance below, and thank you again Ronnie for helping me :
ip domain-name XXXX.XXX
aaa new-model
username admin priv 15 secret is it Ronnie or Don?

The answer is neither in your config....
Once you've set your username/password with privilege level 15, in your vty lines you do not refer back to it again, you simply tell the vty to look at the local username/password database for login as in what I typed below.

SW1(config)#line vty 0 15
SW1(config-line)#login local (this tells the vty to look at the username password/database on the local device)
SW1(config-line)#transport input ssh

When you set the enable password (or secret) you're setting up a global password to gain access to the privilege mode, regardless of who is on the switch. When you create a username/password with a privilege level 15, you're saying that "Ronnie can login to the switch and get access to privilege mode." When he logs in he is dumped immediately into switch# if you' were to create a username/password (e.g. Larry/cisco1234 with no privilege level. what would happen when Larry tried to login? It would allow him to login with the password then dump him at "user exec" switch>

Ahhhhh. I think I may finally be getting it. I had a fundamental misunderstanding of the way things work. I thought the SSH was using the passwords previously set up, and just running a crypto program across the lines so that no one could see what was being typed.

Ronnie we are tasked with setting up switches so that all the networking team log in using SSH under admin, and a common password. Does this mean I can just reuse the enable password for the SSH setup above? Will the system let me do that?

Or do I need to do my entire initial config script pasted above differently?

@LARRY-MILLER-2 said in Hi guys, can you please help me with some confusion about setting up for SSH?:

Ahhhhh. I think I may finally be getting it. I had a fundamental misunderstanding of the way things work. I thought the SSH was using the passwords previously set up, and just running a crypto program across the lines so that no one could see what was being typed.

Ronnie we are tasked with setting up switches so that all the networking team log in using SSH under admin, and a common password. Does this mean I can just reuse the enable password for the SSH setup above? Will the system let me do that?
Or do I need to do my entire initial config script pasted above differently?

You should be able to use the same enable password on multiple devices since they are configured individually.

You just need to remember to change the your hostname on each device so that when you setup the SSH crypto it's keyed to the device's FQDN.