ssh-works-without-aaa.html

---
url: /2008/08/ssh-works-without-aaa/
title: "SSH works without AAA"
date: "2008-08-07T07:55:00.003+02:00"
tags: [ security,access control,SSH ]
---

<div class="bloggerBody">I was always under impression that you have to configure AAA (even if you have local passwords) if you want to use SSH on a Cisco router. Based on the <a href="/2008/08/identifying-tacacs-failure/#comments">comment made by shef</a> I tried various options and found out that SSH works without AAA (at least in IOS releases 12.4 and 12.2SRC). In both cases, you can configure AAA authentication (using AAA servers or <a href="/2007/03/configure-local-authentication-with-aaa/">local passwords</a>) or <a href="/2006/12/local-username-authentication/">local username/password authentication</a> (you can also use <a href="/2007/03/enhanced-password-security-for-local/">enhanced password security</a>).<br/><!--more--><br/>This is the minimum configuration needed to support inbound SSH sessions on a router (you might want to add <strong>transport input </strong><strong>ssh</strong><strong> </strong>to the line configuration if you want to disable <em>telnet </em>access to the router):<br/><pre class="code"><ins class="corr" title="inserted on August 10th 2008 based on comment by Mao">hostname <em>name</em></ins><br/>!<br/>ip domain-name <em>name</em><br/>!<br/>crypto key generate rsa<br/>!<br/>! define local usernames, use passwords or secrets<br/>!<br/>username <em>a</em> password <em>b</em><br/>username <em>x</em> secret <em>y</em><br/>!<br/>ip ssh version 2<br/>!<br/>line vty 0 4<br/> login local</pre></div>