Console, VTY, SSH, & SCP

## Console Access The **console line** is the physical access method via the device's console port. There is **only one** console line (`line console 0`). ### Basic Authentication ```none line console 0 password cisco login ``` - The `login` command tells the router to prompt for the password configured with `password`. - If `login` is not specified, **no authentication** will be enforced on console access. ### Local Authentication ```none username admin password cisco line console 0 login local ``` - `login local` uses credentials from locally configured users. - Users must enter both a **username** and **password** to gain access. ## VTY Lines (SSH) VTY lines are **virtual teletype** lines used for remote access. - VTY line numbers typically range from 0 to 15. - This means **up to 16 users** can connect simultaneously. ### SSH-Only VTY with Local Login ```none hostname R1 ip domain-name adamspera.dev crypto key generate rsa modulus 2048 ip ssh version 2 username admin password cisco line vty 0 15 login local transport input ssh exec-timeout 3 30 ``` - `exec-timeout 3 30` sets an idle timeout of 3 minutes 30 seconds. - `transport input ssh` allows only SSH (not Telnet). - `crypto key generate rsa` is required to enable SSH. - `ip ssh version 2` ensures modern SSH protocol usage. ## SCP Server To copy files securely using SCP: ```none aaa new-model aaa authentication login default local aaa authorization exec default local username admin privilege 2 secret cisco hostname MyRouter ip domain-name adamspera.dev crypto key generate rsa modulus 2048 ip ssh version 2 line vty 0 transport input ssh login authentication default ip scp server enable ``` > Privilege level 2 is used since it is the lowest level before strict read only. ## Password Encryption ### Enable Password (Legacy) ```none username admin password cisco enable password cisco ``` ``` show running-config > username admin password cisco (config)# service password-encryption show running-config > username admin password 7 01100F175804 ``` - Stored in **cleartext** unless encrypted with `service password-encryption` (level 7). - Not recommended for modern deployments, as it can be cracked easily. ### Enable Secret (Secure) ```none username admin secret cisco enable secret cisco ``` ``` show running-config > username admin secret 5 $9$YeaXVbtVOzNIa ``` - Encrypted using **MD5** by default (level 5). - Overrides `enable password` if both are configured. ## IOS Login Enhancements Helps protect against **brute-force attacks**. ```plaintext login block-for 60 attempts 3 within 10 ``` > This means: If 3 failed attempts occur **within 10 seconds**, block logins **for 60 seconds**.