Troubleshooting: SSH Login Fails or Login Fails Through Telnet
Possible Causes
- The network connection is abnormal.
- The user name or password is incorrect.
- The server configuration is incorrect.
- The IP address of the client is blocked.
- The Telnet server is disabled by default and is not enabled.
- The encryption/decryption algorithm used by the STelnet client does not match that on the device.
- Management plane isolation is configured, and users do not log in through the management network port.
- (V200R019C10) The source interface of the SSH or Telnet server is configured.
- The SSH or Telnet interface is disabled by the firewall.
Troubleshooting Procedure
Device Functioning as an STelnet Server
Perform the following operations after logging in to the device through the console port.
- Check whether the network connection is normal.
Before a user logs in to the device using SSH, reachable routes must exist between the client and device. Ping the IP address of the SSH server from the client to check whether the network connection between the client and server is normal. Make sure that the fault is not caused by an SSH connection setup failure.
- Check whether the user name and password are correct.
- Check whether the user name and password are the same as those configured on the SSH server. If they are inconsistent, enter the correct user name and password. If you are not sure whether the password is correct, perform the following operations to reconfigure the password:
- Log in to the device using a user account with a higher privilege level (at least level 3) than the previous user account, and configure a new password for the previous user account.
- Log in to the device through the console port and configure a new password.
The configuration method is as follows:
<AC> system-view [AC] aaa [AC-aaa] local-user test password irreversible-cipher huawei@1234
- If a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up an SSH connection with the SSH server, the IP address of the client will be locked for 5 minutes, and the locked IP address cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check clients' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
- Wait for 5 minutes until the device automatically unlocks the IP address.
- Run the undo local-aaa-user wrong-password command in the AAA view to disable the lock function.
- Check whether the user name and password are the same as those configured on the SSH server. If they are inconsistent, enter the correct user name and password. If you are not sure whether the password is correct, perform the following operations to reconfigure the password:
- Check whether the SSH server status on the server is normal.
- Log in to the device through a console port and run the display ssh server status command and ensure the following settings are correct:
- STelnet service status
- Timeout interval for SSH authentication
- SSH server port number
<AC> display ssh server status SSH version :2.0 SSH connection timeout :60 seconds //Set the timeout interval for SSH connection authentication. SSH server key generating interval :0 hours SSH authentication retries :3 times SFTP server :Disable Stelnet server :Disable //Disable the STelnet service. SSH server port :1026 //The server port has been changed. The default port number is 22, which is not displayed. SSH server source interface :All
- If the STelnet service is disabled, run the stelnet server enable command in the system view to enable it.
- When the weak-encryption-algorithm plug-in is installed, check whether the SSH protocol version of the client is early. If the protocol version of the client is later than or equal to 1.3 and earlier than 1.99, run the ssh server compatible-ssh1x enable command in the system view to enable the SSH server to be compatible with earlier versions.
- If the SSH authentication timeout interval is too short, users will fail to log in to the SSH server. Run the ssh server timeout seconds command in the system view to change the SSH authentication timeout interval.
- Ensure that the port number of the SSH server is consistent with that of the SSH client. SSH client can log in to the SSH server with no port number specified only when the port number of the SSH server is 22. If the SSH server uses another port, the port number must be specified when SSH clients log in to the SSH server. If the SSH server's port number has been changed, change the port number accordingly during the SSH login. For example, change the SSH server's port number to 1026 on PuTTY.
If the default port number is used for SSH login, you need to delete the configuration of changing the server's port number from the device.
[AC] undo ssh server port Warning: The operation will disconnect all online users. Continue? [Y/N]:y Info: Succeeded in changing SSH listening port.
- Log in to the device through a console port and run the display ssh server status command and ensure the following settings are correct:
- Check whether the VTY user interface configuration is correct.
Log in to the device through the console port. Check the VTY configuration, and ensure that the SSH protocol and AAA authentication have been configured for VTY channels.
The following example shows that AAA authentication and the SSH protocol have been configured.
<AC> system-view [AC] user-interface vty 0 4 [AC-ui-vty0-4] display this # user-interface con 0 authentication-mode password set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# user-interface vty 0 4 authentication-mode aaa //The AAA mode has been configured. protocol inbound all //The SSH protocol has been bound. user-interface vty 16 20 protocol inbound all #
If the SSH protocol is not bound, perform the following operations:
[AC-ui-vty0-4] protocol inbound ssh
or
[AC-ui-vty0-4] protocol inbound all
- Check whether the SSH user configuration on the server is correct.
- Run the display ssh user-information command in any view to check whether the SSH user exists on the server.
<AC> display ssh user-information ------------------------------------------------------------------------------- Username Auth-type User-public-key-name ------------------------------------------------------------------------------- admin password null -------------------------------------------------------------------------------
The Username field displays the SSH user name. Based on this field, check whether the current user is displayed in the command output.
If the current user is not displayed in the command output, perform the following operations to add the user:
<AC> system-view [AC] aaa [AC-aaa] local-user test password irreversible-cipher huawei@123 [AC-aaa] local-user test service-type ssh
- Check whether the IP address of the client is permitted.
<AC> display current-configuration | include ssh ssh server permit interface GigabitEthernet0/0/1 //Allow the client to connect to GigabitEthernet0/0/1 on the SSH server but restrict the connection to other interfaces.
By default, clients can connect to all physical interfaces on the SSH server. You can run the undo ssh server permit interface command in the system view to restore the default physical interfaces on the SSH server to which clients can connect.
- Check whether a public key is configured on the device.
To avoid logging in to a bogus SSH server, the client uses the digital signature to verify the SSH server's identity during login. If the public key of the SSH server is not saved on the client or the saved public key is incorrect, the server identity verification fails. As a result, the user fails to log in to the server through the client. Therefore, before a user logs in to the server on the client, create a key pair on the server, and save the correct public key of the SSH server on the client. To ensure successful login to the SSH server, configure and generate a local key pair first. The login failure may be caused by an incorrect key pair. The methods of checking whether a key pair is generated on the device are as follows:
- Run the following command to check whether the RSA public key is configured on the device.
[AC] display rsa local-key-pair public Info: Local key pair is not generated. //The RSA public key is not configured.
- Run the following command to check whether the ECC public key is configured on the device.
[AC] display ecc local-key-pair public Info: Local key pair is not generated. //The ECC public key is not configured.
If no public key is configured for the server, perform the following operations to generate an RSA or ECC key pair:
[AC] rsa local-key-pair create //Create an RSA public key. The key name will be: Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus[default = 2048]:2048 Generating keys... ......................++++++++ ........................................................++++++++ ........+++++++++ .....+++++++++ [AC] ecc local-key-pair create //Create an ECC public key. Info: The key name will be: AC6605_Host_ECC. Info: The ECC host key named AC6605_Host_ECC already exists. Warning: Do you want to replace it ? [Y/N]: Y Info: The key modulus can be any one of the following : 256, 384, 521. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=521]:521 Info: Generating keys... Info: Succeeded in creating the ECC host keys.
- Run the following command to check whether the RSA public key is configured on the device.
- Run the display ssh user-information command in any view to check whether the SSH user exists on the server.
- Check whether an ACL is bound to VTY user interfaces on the SSH server.
Check the VTY configuration to determine whether an ACL rule is bound to VTY user interfaces.
For example, run the display this command to check whether an ACL has been bound to VTY 0 to VTY 4.
<AC> system-view [AC] user-interface vty 0 4 [AC-ui-vty0-4] display this # user-interface con 0 authentication-mode password set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# user-interface vty 0 4 acl 3000 inbound //Bind ACL 3000. authentication-mode aaa protocol inbound all user-interface vty 16 20 protocol inbound all #
If an ACL is configured, check whether the IP address of the SSH client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.
For example, an ACL is configured on the device and a deny rule is configured for the IP address (192.168.1.3) of an SSH client.
[AC-ui-vty0-4] display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny tcp source 192.168.1.3 0 [AC-ui-vty0-4] quit
Modify the ACL to allow the IP address of the SSH client to access the device.
[AC] acl 3000 [AC-acl-adv-3000] undo rule 5 [AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.3 0 [AC-acl-adv-3000] display this # acl number 3000 rule 5 permit tcp source 192.168.1.3 0 # return
- Ensure that the encryption/decryption algorithm used by the SSH client matches that on the device.
- To ensure device security, some insecure encryption algorithms are disabled by default. You can run the following command to enable them: To configure an insecure encryption algorithm, load a weak-encryption-algorithm plug-in.
<AC>system-view Enter system view, return user view with Ctrl+Z. [AC]ssh server secure-algorithms cipher aes256_ctr aes128_ctr 3des aes128 aes256_cbc Info:Insecure encryption algorithm is enabled,It is recommended to disable the insecure encryption algorithm. [AC]ssh server secure-algorithms hmac sha2_256 md5 md5_96 sha1 sha2_256_96 sha1_96 Info:Insecure encryption algorithm is enabled,It is recommended to disable the insecure encryption algorithm. [AC]ssh server key-exchange dh_group14_sha1 dh_group1_sha1 dh_group_exchange_sha1 Info:Insecure exchange algorithm is enabled,It is recommended to disable the insecure exchange algorithm.
- Replace the SSH client with a new one, such as PuTTY of the latest version.
- To ensure device security, some insecure encryption algorithms are disabled by default. You can run the following command to enable them: To configure an insecure encryption algorithm, load a weak-encryption-algorithm plug-in.
- Check whether management plane separation is configured.
For devices with management interfaces, such as AC6605, ACU2, and AC6805, check whether management plane separation is enabled. If this function is enabled, the system prohibits users from accessing the management plane through service interfaces. That is, users fail to log in to the device through non-management interfaces.
- Check whether management plane separation is configured.
By default, management plane separation is enabled on a device. To log in to the device through a service interface, run the mgmt isolate disable command to disable management plane separation.
- Run the display mgmt interface command to check the management network port of the current device. Check whether the user logs in to the device through a non-management port.
# Display the management interface on the device.
<AC> display mgmt interface --------------------------------------------------------------------------------- Interface name --------------------------------------------------------------------------------- MEth0/0/1 --------------------------------------------------------------------------------- Count:1
- Check whether management plane separation is configured.
- (V200R019C10) Check whether the source interface of the SSH server is configured.
In V200R019C10, if the AC's source interface is specified, users can log in to the AC only through the specified interface.
By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.
To reconfigure the source interface of the SSH server, run the ssh server-source -i { interface-type interface-number | all } command.
- After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
- After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.
- Check whether the SSH or Telnet interface is disabled by the firewall.
- Run the display network status all command to check which interfaces and services are enabled on the network.
<AC> display network status all Proto Task/SockId Local Addr&Port Foreign Addr&Port State TCP VTYD/1 0.0.0.0:23 0.0.0.0:0 Listening TCP VTYD/3 10.23.23.1:23 10.23.23.201:4332 Established TCP6 VTYD/2 ::->23 ::->0 Listening UDP NTPT/1 0.0.0.0:123 0.0.0.0:0 UDP AGNT/1 0.0.0.0:161 0.0.0.0:0 UDP RDS /1 0.0.0.0:1812 0.0.0.0:0 UDP WEB /1 0.0.0.0:2000 0.0.0.0:0 UDP L2_P/1 0.0.0.0:40000 0.0.0.0:0 UDP NAP /1 0.0.0.0:53535 0.0.0.0:0 UDP6 NTPT/2 ::->123 ::->0 UDP6 AGT6/1 ::->161 ::->0
- Check the firewall policy to determine whether the Telnet or SSH interface is disabled.
- Run the display network status all command to check which interfaces and services are enabled on the network.
Device Functioning as a Telnet Server
Perform the following operations after logging in to the device through the console port.
- Check whether the network connection is normal.
Before a user logs in to the device using Telnet, reachable routes must exist between the client and device. Ping the IP address of the server from the client to check whether the network between the client and server is available.
- Check whether the user name and password are correct.
The Telnet server supports password authentication and AAA authentication. By default, the authentication mode is AAA authentication.
- In AAA authentication mode, you need to check whether the user name and password are correct. If you do not know whether the password is correct, perform the following operations to change the password for the current user name:
- Run the system-view command to enter the system view.
- Run the aaa command to enter the AAA view.
- Run the local-user user-name password irreversible-cipher irreversible-cipher-password command to configure the password.
- In password authentication mode, check whether the password is correct. You can run the following commands to change the password:
- Run the system-view command to enter the system view.
- Run the user-interface vty first-ui-number [ last-ui-number ] command to enter the VTY user interface view.
- Run the authentication-mode password command to set the authentication mode to password.
- Run the set authentication password cipher command to set the authentication password.
- In AAA authentication mode, you need to check whether the user name and password are correct. If you do not know whether the password is correct, perform the following operations to change the password for the current user name:
- Check whether the Telnet server status on the server is normal.Run the display telnet server status command to check whether the following information is correct:
- Telnet service status
- Port number of the Telnet server
<AC> display telnet server status TELNET IPV4 server :Enable TELNET IPV6 server :Disable TELNET server port :23 TELNET server source interface :All
- If the TELNET IPv4 server or TELNET IPv6 server field is Disable, run the telnet [ipv6] server enable command in the system view to enable the Telnet service.
- Ensure that the port number of the Telnet server is consistent with that of the Telnet client. Telnet client can log in to the Telnet server with no port number specified only when the port number of the Telnet server is 23. If the Telnet server uses another port, the port number must be specified when Telnet clients log in to the Telnet server. If the port numbers are different, run the telnet server port 23 command in the system view to change the Telnet server's port number to 23.
- Check whether the VTY user interface configuration is correct.
- Log in to the device through the console port. Check the VTY configuration, and ensure that the Telnet protocol has been configured for VTY channels.
<AC> system-view [AC] user-interface vty 0 4 [AC-ui-vty0-4] display this # user-interface con 0 authentication-mode password set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# user-interface vty 0 4 authentication-mode aaa protocol inbound ssh //The Telnet protocol is not bound. user-interface vty 16 20 protocol inbound all #
If the Telnet protocol is not bound, perform the following operations:
[AC-ui-vty0-4] protocol inbound telnet
or
[AC-ui-vty0-4] protocol inbound all
- Check the login authentication mode.Currently, the following authentication modes are mainly used:
- authentication-mode password: password authentication mode
- authentication-mode aaa: AAA authentication mode
<AC> system-view [AC] user-interface vty 0 4 [AC-ui-vty0-4] display this # user-interface maximum-vty 15 user-interface con 0 user-interface vty 0 14 authentication-mode aaa user privilege level 3 protocol inbound ssh user-interface vty 16 20
If password authentication mode is configured in the VTY user interface, you must configure the login password in the VTY user interface view. You can run the display this command in the VTY user interface view to check whether the login password is configured. If not, run the set authentication password cipher command in the VTY user interface view to configure it.
If AAA authentication mode is configured in the VTY user interface, you must create a local AAA user. You can run the display this command in the AAA view to check the configuration. You must specify the level and service type for the account; otherwise, you cannot use this account to log in to the device.
For example, the user name is admin and password is Huawei@123 in the command output. If the account configuration is incorrect, run the aaa command to enter the AAA view, reconfigure the account based on the following commands, and log in to the device.
[AC] aaa [AC-aaa] local-user admin password irreversible-cipher Huawei@123 [AC-aaa] local-user admin service-type telnet http terminal
- In AAA authentication mode, if a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up a Telnet connection with the Telnet server, the IP address of the client will be locked for 5 minutes, and the locked IP address cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check clients' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
- Wait for 5 minutes until the device automatically unlocks the IP address.
- Run the undo local-aaa-user wrong-password command in the AAA view to disable the lock function.
- Check whether the IP address of the client is permitted.
<AC> display current-configuration | include telnet telnet server permit interface GigabitEthernet0/0/1 //Allow the client to connect to GigabitEthernet0/0/1 on the Telnet server but restrict the connection to other interfaces.
By default, clients can connect to all physical interfaces on the Telnet server. You can run the undo telnet server permit interface command in the system view to restore the default physical interfaces on the Telnet server to which clients can connect.
- Log in to the device through the console port. Check the VTY configuration, and ensure that the Telnet protocol has been configured for VTY channels.
- Check whether an ACL is bound to VTY user interfaces on the Telnet server.
Check the VTY configuration to determine whether an ACL rule is bound to VTY user interfaces.
For example, run the display this command to check whether an ACL has been bound to VTY 0 to VTY 4.
<AC> system-view [AC] user-interface vty 0 4 [AC-ui-vty0-4] display this # user-interface con 0 authentication-mode password set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# user-interface vty 0 4 acl 3000 inbound //Bind ACL 3000. authentication-mode aaa protocol inbound all user-interface vty 16 20 protocol inbound all #
If an ACL is configured, check whether the IP address of the Telnet client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.
For example, an ACL is configured on the device and a deny rule is configured for the IP address (192.168.1.2) of a Telnet client.
[AC-ui-vty0-4] display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 deny tcp source 192.168.1.2 0 [AC-ui-vty0-4] quit
Modify the ACL to allow the IP address of the Telnet client to access the device.
[AC] acl 3000 [AC-acl-adv-3000] undo rule 5 [AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.2 0 [AC-acl-adv-3000] display this # acl number 3000 rule 5 permit tcp source 192.168.1.2 0 # return
- (V200R019C10) Check whether the source interface of the Telnet server is configured.
In V200R019C10, if the AC's source interface is specified, users can log in to the AC only through the specified interface.
By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.
To reconfigure the source interface of the Telnet server, run the telnet server-source -i { interface-type interface-number | all } command.
- After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
- After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.
- Check whether the SSH or Telnet interface is disabled by the firewall.
- Run the display network status all command to check which interfaces and services are enabled on the network.
<AC> display network status all Proto Task/SockId Local Addr&Port Foreign Addr&Port State TCP VTYD/1 0.0.0.0:23 0.0.0.0:0 Listening TCP VTYD/3 10.23.23.1:23 10.23.23.201:4332 Established TCP6 VTYD/2 ::->23 ::->0 Listening UDP NTPT/1 0.0.0.0:123 0.0.0.0:0 UDP AGNT/1 0.0.0.0:161 0.0.0.0:0 UDP RDS /1 0.0.0.0:1812 0.0.0.0:0 UDP WEB /1 0.0.0.0:2000 0.0.0.0:0 UDP L2_P/1 0.0.0.0:40000 0.0.0.0:0 UDP NAP /1 0.0.0.0:53535 0.0.0.0:0 UDP6 NTPT/2 ::->123 ::->0 UDP6 AGT6/1 ::->161 ::->0
- Check the firewall policy to determine whether the Telnet or SSH interface is disabled.
- Run the display network status all command to check which interfaces and services are enabled on the network.