Home > Articles > Cisco Network Technology > General Networking > Configuring the PIX Firewall for SSH (Secure Shell)

Configuring the PIX Firewall for SSH (Secure Shell)

Article Description

In October of 1995, Cisco Systems, Inc. began their first serious push into the Network Security market with the acquisition of NTI (Network Translation, Inc.). NTI’s flagship PIX firewall became the Cisco Secure PIX Firewall. From 1995 until 2000, there was one feature missing that frustrated security administrators greatly: secure remote access. Although the PIX Firewall allows Telnet access to its CLI (command line interface), the PIX OS will not allow Telnet to hosts on the outside interface because of the threat of password interception. In 2000, Cisco introduced version 5.2 of the PIX OS. One of the most notable features of 5.2 was support for the new faster and more scalable PIX 525 Firewall. Another feature that received less fanfare, SSH or Secure Shell, proved to be very important to Security Administrators who were tired of driving to the office to make changes to their PIX. SSH uses either DES or 3DES to encrypt the entire session to the PIX; and as such, it was deemed safe to enable on the outside interface. David W. Chapman Jr. will demonstrate how to enable and troubleshoot SSH access to your PIX in an easy to follow step-by-step process.

Like this article? We recommend

Cisco Secure PIX Firewalls

Cisco Secure PIX Firewalls

$35.00

Troubleshooting SSH Client Connection Problems

As with any new remote access client software, there may be a need to figure out why a client connection fails. Fortunately, the PIX has debug ssh to make life easier on you. If you have previous experience using debug commands with Cisco IOS<sup>tm</sup>, you know that debug output can be very cryptic. I'm pleased to report the output of debug ssh is very readable and points right to the source of the problem. Let's take a look at some common scenarios and how debug ssh can make your life easier.

First, what does a normal ssh session look like? Turn on ssh debugging by using the debug ssh command. Notice that the authentication request for user pix was successful:

percival(config)# debug ssh

SSH debugging on

Example 1 shows the output for a successful SSH session:

Example 1	Successful SSH Session Establishment
Device opened successfully.
SSH: host key initialized
SSH: license supports DES: 1
SSH0: SSH client: IP = '192.168.111.7' interface # = 1
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: client version is - SSH-1.5-2.4.0 (compat mode)
SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 2970 ms
SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272
SSH0: client requests DES cipher: 2
SSH0: keys exchanged and encryption on
SSH: Installing crc compensation attack detector.
SSH0: authentication request for userid pix
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH0: authentication successful for pix
SSH0: invalid request - 0x22
SSH0: starting exec shell

What happens if a user doesn't use pix as the username? The PIX rejects the username cisco in Example 2:

Example 2	Invalid Username
Device opened successfully.
SSH: host key initialized
SSH0: SSH client: IP = '192.168.111.5' interface # = 1
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: client version is - SSH-1.5-2.4.0 (compat mode)
SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 3050 ms
SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272
SSH0: client requests DES cipher: 2
SSH0: keys exchanged and encryption on
SSH0: authentication request for userid cisco
SSH(cisco): user authen method is 'no AAA', aaa server group ID = 0
SSH0: invalid userid cisco
SSH0: authentication failed for cisco
SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Note

The only acceptable username is pix.

Example 3 illustrates authentication failure due to the user entering the wrong telnet password:

Example 3	Invalid Password
Device opened successfully.
SSH: host key initialized
SSH0: SSH client: IP = '192.168.111.5' interface # = 1
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: client version is - SSH-1.5-2.4.0 (compat mode)
SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 1370 ms
SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272
SSH0: client requests DES cipher: 2
SSH0: keys exchanged and encryption on
SSH0: authentication request for userid pix
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH0: password authentication failed for pix
SSH0: password authentication failed for pix
SSH0: password authentication failed for pix
SSH0: authentication failed for pix
SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Both the SSH Client and the SSH Server must exchange Public Keys before the session can be encrypted. Example 4 shows what happens if you forget to generate an RSA Key pair:

Example 4	No RSA Key on the PIX
Device opened successfully.
SSH: unable to retrieve host public key for percival.cisco.com', terminate
SSH connection.
SSH-2145046632: Session disconnected by SSH server - error 0x00 "Internal error"
5. Obtaining a SSH Client for Your Platform | Next Section Previous Section