Cisco Firewall - ssh
Specify a host for firewall console access via Secure Shell (SSH). (Configuration mode.)
[no] ssh disconnect session_id
[no] ssh ip_address [netmask] [interface_name]
[no] ssh timeout mm
show ssh [sessions [ip_address]]
show ssh timeout
clear ssh
Syntax Description
ip_address IP address of the host or network authorized to initiate an SSH connection to the firewall. netmask Network mask for ip_address. If you do not specify a netmask, the default is 255.255.255.255 regardless of the class of ip_address. interface_name firewall interface name on which the host or network initiating the SSH connection resides. mm The duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. The allowable range is from 1 to 60 minutes. session_id SSH session ID number available from the show ssh sessions command.
Usage Guidelines
The ssh ip_address command specifies the host or network authorized to initiate an SSH connection to the firewall. The ssh timeout command allows you to specify the duration in minutes that a session can be idle before being disconnected. The default duration is 5 minutes. Use the show ssh sessions command to list all active SSH sessions on the firewall. The ssh disconnect command allows you to disconnect a specific session you observed from the show ssh sessions command. Use the clear ssh command to remove all ssh command statements from the configuration. Use the no ssh command to remove selected ssh command statements from the configuration.You must generate an RSA key-pair for the firewall before clients can connect to the firewall console. To use SSH, the firewall must have a DES or 3DES activation key.
To gain access to the firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. You can set the Telnet password with the passwd command; the default Telnet password is cisco. To authenticate using AAA server instead, configure the aaa authenticate ssh console command.
SSH permits up to 100 characters in a username and up to 50 characters in a password.
When starting an SSH session, a dot (.) displays on the firewall console before the SSH user authentication prompt appears.
The dot appears as follows:
pixfirewall(config)# . pixfirewall(config)# .The display of the dot does not affect the functionality of SSH. The dot appears on at the console when generating a server key or decrypting a message using private keys during SSH key exchange, before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the firewall is busy and has not hung.
show ssh sessions Command
The show ssh sessions command provides the following display:
Session ID Client IP Version Encryption State Username 0 172.16.25.15 1.5 3DES 4 - 1 172.16.38.112 1.5 DES 6 pix 2 172.16.25.11 1.5 3DES 4 -The Session ID is a unique number that identifies an SSH session. The Client IP is the IP address of the system running an SSH client. The Version lists the protocol version number that the SSH client supports. The Encryption column lists the type of encryption the SSH client is using. The State column lists the progress the client is making as it interacts with the firewall. The Username column lists the login username that has been authenticated for the session. The "pix" username appears when non-AAA authentication is used.
The following table lists the SSH states that appear in the State column:
Number SSH State 0 SSH_CLOSED 1 SSH_OPEN 2 SSH_VERSION_OK 3 SSH_SESSION_KEY_RECEIVED 4 SSH_KEYS_EXCHANGED 5 SSH_AUTHENTICATED 6 SSH_SESSION_OPEN 7 SSH_TERMINATE 8 SSH_SESSION_DISCONNECTING 9 SSH_SESSION_DISCONNECTED 10 SSH_SESSION_CLOSED
SSH Syslog Messages
Syslog messages 315001, 315002, 315003, 315004, 315005, and 315011 were added for SSH.
Obtaining an SSH Client
The following site lets you download an SSH v1.x client for Windows:
hp.vector.co.jp/authors/VA002416/teraterm.htmlThe TTSSH security enhancement for Tera Term Pro is available at:
www.zip.com.au/~roca/ttssh.htmlYou must download TTSSH to use Tera Term Pro with SSH. TTSSH provides a Zip file you copy to the system. Extract the zipped files into the same folder that you installed Tera Term Pro. For a Windows 95 system, by default, this would be the C:\Program Files\Ttempro folder.
For Linux, Solaris, OpenBSD, AIX, IRIX, HP/UX, FreeBSD, and NetBSD go to:
www.openssh.com
Changed aaa Command for SSH
The aaa command adds the ssh option for use with SSH:
aaa authentication [serial | enable | telnet | ssh] console group_tagThe new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the firewall console with the username pix and with the firewall Telnet password (set with the passwd command). If the aaa command is defined, but the SSH authentication request times out, this implies that the AAA server may be down or not available. You can gain access to the firewall using the username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set. If the enable password is empty (null), even if you enter the password correctly, you are not granted access to the SSH session.
The user authentication attempt limit is set to 3. Note that the Linux version of the SSH version 1 client available from http://www.openssh.com only allows one user authentication attempt.
Examples
Create an RSA key-pair with a modulus size of 1024 bits (recommended for use with Cisco IOS software):hostname cisco-pix domain-name example.com ca generate rsa key 1024 show ca mypubkey rsa ca save allThese command statements set the hostname and domain name for the firewall, generate the RSA key-pair, display the RSA key-pair, and save the RSA key-pair to Flash memory.
Start an SSH session so clients on the outside interface can access the firewall console remotely over a secure shell:
ssh 10.1.1.1 255.255.255.255 outside ssh timeout 60To configure the firewall to perform user authentication using AAA servers. The protocol is the protocol used by the AAA-server to do the authentication. The following example uses the TACACS+ authentication protocol.
aaa-server ssh123 (inside) host 10.1.1.200 mysecure aaa-server ssh123 protocol tacacs+ aaa authenticate ssh console ssh123