SSH login Cisco IOS with Tacacs+

Question

Hi, I try to do a simple command to a Cisco router.

It works fine if I use local username/password, but if I use Tacacs+ to authenticate the user it fails (works fine using putty).

When using SshAuthenticationMethod.Password, the error is "A supplied password or user name is incorrect", this is not correct.

I also changed to AuthenticationMethods=SshAuthenticaionMethod.KeyboardInteractive, but then I get "Interactive authentication cannot continue due to missing request handler."

This is the simple code:

            using (var ssh = new Rebex.Net.Ssh())
            {
                ssh.Settings = new SshSettings() 
                { 
                    SshParameters= new SshParameters() 
                    { 
                        AuthenticationMethods=SshAuthenticationMethod.Password
                    }
                };

                ssh.Connect(host);

                ssh.Login(user, pass);

                var response = ssh.RunCommand("show int sum");

                Console.WriteLine(response);
            }

Answer 1

It looks like the router is asking for some information in a way that is not handled automatically by the Login(user, pass) method. Instead, try registering an ssh.AuthenticationRequest event handler, which will get called when the server asks for authentication.

Example:

ssh.AuthenticationRequest += (s, e) =>
{
    Console.WriteLine("Server: {0}", e.Name);
    Console.WriteLine("Instructions: {0}", e.Instructions); 

    foreach (SshAuthenticationRequestItem item in e.Items)
    {
        // display the prompt
        Console.WriteLine(item.Prompt);

        // get answer
        item.Response = Console.ReadLine();
    }
};

ssh.Settings.SshParameters.AuthenticationMethods = SshAuthenticationMethod.KeyboardInteractive;
ssh.Connect(host);
ssh.Login(user);

For ready-to-use sample implementation (Windows Forms), check out the AuthenticationRequestDialog class in SftpWinFormClient sample (can be downloaded with Rebex SSH Pack, Rebex SFTP or Rebet Total Pack). The sample is for Sftp class, but the same approach applies to Ssh class as well.

Comments

Hi Lukas and thanks for the reply. The solution did not work, but I got some more information that might be usefull.

When I compare the events on the router between the successfull putty session and the rebex attempt. I see that putty is passing information already when I provide the login name, and then get the correct password message from the Tacacs server.

In the rebex session I get a "Password:" prompt directly without any communication to the Tacacs-server and it fail...

---

I forgot the Connect call in the code above. Please try this:

ssh.AuthenticationRequest += (s, e) =>
{
    ... same code as above here ...
};

ssh.Settings.SshParameters.AuthenticationMethods = SshAuthenticationMethod.KeyboardInteractive;
ssh.Connect(host);
ssh.Login(user);

Make sure to specify AuthenticationMethods before calling Connect, and make sure not to specify the password in the Login call. Does the AuthenticationRequest event handler get called then?

---

Well, that did the trick :) Thanks for quick reply.

---

Thanks! What kind of prompts does Tacacs+ send, by the way?

---

It's actually customizable by the settings of the Tacacs server. In my case it return's an prompt "Enter your OTP password:" as part of the AuthenticationReplyPacketBody.

---

Good to know, thanks!