From: Andrew G. Mason (andrew@xxxxxxxxxxxxx)
Date: Fri Jan 19 2001 - 14:05:07 GMT-3
Hi Scott,
Straight from CCO -
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/config/com
mands.htm#xtocid1604966
The ssh ip_address command specifies the host or network authorized to
initiate an SSH connection to the PIX Firewall. The ssh timeout command lets
you specify the duration in minutes that a session can be idle before being
disconnected. The default duration is 5 minutes. Use the show ssh sessions
command to list all active SSH sessions on the PIX Firewall. The ssh
disconnect command lets you disconnect a specific session you observed from
the show ssh sessions command. Use the clear ssh command to remove all ssh
command statements from the configuration. Use the no ssh command to remove
selected ssh command statements from the configuration.
----------------------------------------------------------------------------
---- Note You must generate an RSA key-pair for the PIX Firewall before clients can connect to the PIX Firewall console. To use SSH, your PIX Firewall must have a DES or 3DES activation key.---------------------------------------------------------------------------- ----
To gain access to the PIX Firewall console via SSH, at the SSH client, enter the username as pix and enter the Telnet password. You can set the Telnet password with the passwd command; the default Telnet password is cisco. To authenticate using AAA server instead, configure the aaa authenticate ssh console command.
Cheers
Andrew...
-----Original Message----- From: Scott Morris [mailto:smorris@mentortech.com] Sent: 19 January 2001 16:50 To: 'Andrew G. Mason'; 'Aamir Waheed'; ccielab@groupstudy.com Subject: RE: SSH on the PIX..!!
Ok.. I'm confused now. Using AAA as a user database for telnet logins is FAR different than running SSH as a protocol. SSH is a Secure telnet (port 22 instead of 23), and requires that the device (pix or whatever) actually do payload encryption on each packet sent.
To my knowledge, the PIX software doesn't support this. If it did, or for those devices that do support SSH, the interaction with a local database (username) or AAA is irrelevant to the end result. Authentication can happen any which way, but whether it's secure or not is a different question...
Scott
-----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Andrew G. Mason Sent: Friday, January 19, 2001 11:05 AM To: Aamir Waheed; ccielab@groupstudy.com Subject: RE: SSH on the PIX..!!
I have configured SSH on the PIX numerous times.
You have to use TACACS+ or RADIUS as there is no support for a local user database.
Cheers
Andrew..
-----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Sam Munzani Sent: 19 January 2001 15:43 To: Aamir Waheed; ccielab@groupstudy.com Subject: Re: SSH on the PIX..!!
I don't think PIX can have local database like routers. Cheapest way is have aaa commands in PIX with Radius auth. Have Windows 2000 server loaded with Radius services, This will let PIX authentication to windows 2000 user database.
Sam
> Hi All, > > Is it possible to configure user authentication without using any > authentication servers with SSH on PIX. If yes, how do I go about it, i know > on the router you can give aaa authentication local and define the username > and passwords but on the PIX its not taking the same aaa command. > > Would appreciate if you could send me a reply directly aswell. > Best Regards, > Aamir > > -=-=-=-=-=-=-
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:35 GMT-3