In this article, I'd like to share one of Cisco's solutions to the ever-vexing issue of secure remote management of the PIX Firewall. There will always be a need for administrators and managed service providers to access remote PIX Firewalls for monitoring, configuration, and troubleshooting. But because Telnet sends data in plain text, the designers of the PIX coded the PIX OS to disallow even the possibility of configuring telnet access to the outside (Public) interface. So, with Telnet unavailable, what can you do?
Cisco provides two mechanisms to securely access your PIX Firewall over an insecure medium, such as the Internet. The first is secure shell or SSH. The second is IPSec. If your only need for encryption is to secure access to the PIX CLI (command line interface), SSH is much more straightforward to configure and manage. This article discusses how to configure SSH on the PIX Firewall and how to obtain a SSH client.
SSH (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure networks. From the SSH Internet Draft at http://www.free.lp.se/fish/rfc.txt
The use of SSH provides a more secure alternative to telnet, which sends all data in plain text. In a SSH session, all data, including the initial sign-on and password submission, is encrypted using DES or 3DES symmetric block cipher. Both the client and server have generated RSA Public/Private Key pairs. Before the username/password is sent to the PIX, the client and the server exchange Public Keys. The PIX Firewall (acting as the SSH server) generates a session key and encrypts it with the client's RSA public key. Then, the client and server encrypt both the login authentication and all subsequent packets using the session key.
Note
The Cisco Secure PIX Firewall implements SSH v1. Although there have been many articles and papers written about vulnerabilities in SSH v1, the PIX Firewall is not vulnerable to either Traffic Analysis or Key Recovery exploits. There was a CRC-32 vulnerability, but it was patched in versions 5.2(6) and 5.3(2). All future releases of the PIX OS contain the CRC-32 fix. Another enhancement Cisco provides is the ability to add AAA authentication of the SSH session using TACACS+ or RADIUS.
Configuring the PIX for SSH Access
There are two sets of tasks you need to complete to use SSH to access your PIX:
- Configure the PIX to accept SSH connections
- Configure your SSH Client to connect to the PIX
Each will be discussed in the sections that follow.
Configuring PIX to Accept SSH Connections
Our first task is to generate an RSA public/private key pair to use to securely transfer the session key from the server to the client. The hostname and domain-name must be set before the PIX will allow you to generate the key pair.
Assign a hostname and domain name to the PIX. This is required to generate the RSA key set.
pixfirewall(config)# hostname percival percival(config)# domain-name cisco.com
Generate an RSA Key pair and save the keys to Flash memory.
percival(config)# ca generate rsa key 2048 For <key_modulus_size> >= 1024, key generation could take up to several minutes. Please wait..........
View your newly created RSA Public Key.
percival(config)# sh ca mypubkey rsa % Key pair was generated at: 15:02:39 May 28 2001 Key name: percival.cisco.com Usage: General Purpose Key Key Data: 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00b0475a 85bcfce7 91e36431 16c67070 24e4eb09 1b55766c 3588ea87 ba637382 8e3455a5 a7f71a8f fcd93f25 2bb95484 668ae92d a2175de3 04605fd0 d84f17e4 70569d26 90ff55d9 3cb91b90 ca4102d5 dc3c9cd1 25692aba f5cabae7 4f066459 86ecae91 a6e8c032 1e15184d f12f4bf8 18828ca6 6bc61c80 08a1425a 7d767200 ae68098f 703a972f 59b92239 ed9ae146 ff4a7ea4 6ae2b527 0486c91a c76bd376 3093d024 164e6032 c327d9b9 ed7101c8 73030634 defc0848 78a51d04 6995ad8c 5cbdc0b1 e77091e0 283e5881 407b3639 8a90abba fa559e4b 07a769ab 19b020f4 ba76301a 09772faa 2920067b be4ca3c0 84e2f7f0 7985eafe 227940e4 c56aea3e 23020301 0001
After generating the keys, you must save them to Flash. Failure to perform this step will result in the erasure of the keys at the next reload.
percival(config)# ca save all
Specify what hosts are allowed to SSH to the PIX and set the SSH inactivity timeout. In this case, you will limit SSH access to a single inside host and kill sessions after one hour of inactivity.
percival(config)# ssh 192.168.111.7 255.255.255.255 inside percival(config)# ssh timeout 60
Set the enable password and Telnet password. You will be required to enter the Telnet password to authenticate your SSH session.
percival(config)# enable password hArd2Gue$$ percival(config)# passwd Ace$$D3n13d
Note
If you have previously configured a telnet password and enable password, you don't need to change them for SSH to work.
Launch the SSH client software.
Select Settings from the Edit menu in Figure 1.
Figure 1 Opening the Settings Panel
Click on the Connection item from the list under Profile Settings on the left side panel in Figure 2. In the Host Name field, enter the IP address of the PIX. Enter pix in the User Name field. Next, in the Authentication Methods pane, click on password.
Figure 2 Setting Connection Preferences
Click on the Cipher List item just below the Connection item under Profile Settings in the left side panel. Uncheck all the ciphers except the one you will be using. Once your cipher is selected, use the black Up Arrow to move your preferred cipher to the top of the list. In the example illustrated in Figure 3, the user has selected DES.
Note
While many SSH Clients support a wide variety of ciphers, the PIX supports DES and 3DES exclusively. You must install the appropriate activation key before using DES or 3DES. For maximum security, Cisco recommends using 3DES to secure SSH and IPSec.
Figure 3 Cipher Selection
To avoid entering this information every time you launch the SSH client, choose Save Settings from the Edit menu in Figure 4.
Figure 4 Saving Your Preferences to a Profile
Click the Quick Connect button to open the login pop-up box labeled Connect to Remote Host (see Figure 5).
Figure 5 Opening the Login Pop-Up
Because of the potential vulnerabilities with SSH version 1, this SSH client warns you with the message in Figure 6. Click the Yes button to accept this connection and continue.
If this is the first time you've connected to the PIX with SSH, you must exchange Public Keys with each other in order to encrypt the session. The SSH client prompts you to accept the PIX's Public Key. Click on the Yes button in Figure 7 to save the PIX's Public Key to the Local Database.
Figure 7 Public Key Exchange
After you save the PIX's Public Key, your SSH Client prompts you for the telnet password in Figure 8.
Figure 8 Enter Telnet Password
You did it! You have created a secure connection to your PIX. Now, you can perform any of the configuration and routine maintenance over the SSH connection (see Figure 9).
Figure 9 SSH Secure Shell Window
Configuring the SSH Client to Connect to the PIX
Before you can connect to the PIX using SSH, you need to install a SSH client compatible with your platform. This example uses the SSH client from SSH Communications. Refer to the Cisco PIX Firewall Command Reference for the SSH command and scroll down to the section "Obtaining an SSH Client for Your Platform." For the Windows platform, I recommend using TerraTerm Pro with the SSH extension.
){kind=link}
){kind=link}
){kind=link}
){kind=link}
){kind=link}
){kind=link}
Figure 6 SSH Version 1 Warning
){kind=link}
){kind=link}
){kind=link}
Troubleshooting SSH Client Connection Problems
As with any new remote access client software, there may be a need to figure out why a client connection fails. Fortunately, the PIX has debug ssh to make life easier on you. If you have previous experience using debug commands with Cisco IOS<sup>tm</sup>, you know that debug output can be very cryptic. I'm pleased to report the output of debug ssh is very readable and points right to the source of the problem. Let's take a look at some common scenarios and how debug ssh can make your life easier.
First, what does a normal ssh session look like? Turn on ssh debugging by using the debug ssh command. Notice that the authentication request for user pix was successful:
percival(config)# debug sshSSH debugging on
Example 1 shows the output for a successful SSH session:
Example 1 Successful SSH Session Establishment Device opened successfully. SSH: host key initialized SSH: license supports DES: 1 SSH0: SSH client: IP = '192.168.111.7' interface # = 1 SSH0: starting SSH control process SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 SSH0: client version is - SSH-1.5-2.4.0 (compat mode) SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 2970 ms SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 SSH0: SSH_SMSG_PUBLIC_KEY message sent SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272 SSH0: client requests DES cipher: 2 SSH0: keys exchanged and encryption on SSH: Installing crc compensation attack detector. SSH0: authentication request for userid pix SSH(pix): user authen method is 'no AAA', aaa server group ID = 0 SSH0: authentication successful for pix SSH0: invalid request - 0x22 SSH0: starting exec shell
What happens if a user doesn't use pix as the username? The PIX rejects the username cisco in Example 2:
Example 2 Invalid Username Device opened successfully. SSH: host key initialized SSH0: SSH client: IP = '192.168.111.5' interface # = 1 SSH0: starting SSH control process SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 SSH0: client version is - SSH-1.5-2.4.0 (compat mode) SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 3050 ms SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 SSH0: SSH_SMSG_PUBLIC_KEY message sent SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272 SSH0: client requests DES cipher: 2 SSH0: keys exchanged and encryption on SSH0: authentication request for userid cisco SSH(cisco): user authen method is 'no AAA', aaa server group ID = 0 SSH0: invalid userid cisco SSH0: authentication failed for cisco SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"
Note
The only acceptable username is pix.
Example 3 illustrates authentication failure due to the user entering the wrong telnet password:
Example 3 Invalid Password Device opened successfully. SSH: host key initialized SSH0: SSH client: IP = '192.168.111.5' interface # = 1 SSH0: starting SSH control process SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 SSH0: client version is - SSH-1.5-2.4.0 (compat mode) SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 1370 ms SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 SSH0: SSH_SMSG_PUBLIC_KEY message sent SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272 SSH0: client requests DES cipher: 2 SSH0: keys exchanged and encryption on SSH0: authentication request for userid pix SSH(pix): user authen method is 'no AAA', aaa server group ID = 0 SSH0: password authentication failed for pix SSH0: password authentication failed for pix SSH0: password authentication failed for pix SSH0: authentication failed for pix SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"
Both the SSH Client and the SSH Server must exchange Public Keys before the session can be encrypted. Example 4 shows what happens if you forget to generate an RSA Key pair:
Example 4 No RSA Key on the PIX Device opened successfully. SSH: unable to retrieve host public key for percival.cisco.com', terminate SSH connection. SSH-2145046632: Session disconnected by SSH server - error 0x00 "Internal error"
Obtaining a SSH Client for Your Platform
The websites in Table 1 allow you to download a free SSH v1.x client. Because SSH version 1.x and 2 are entirely different protocols and are not compatible, be sure you download a client that supports SSH v1.x
Tip
I have found through my own experimentation that Terra Term Pro SSH consistently works on the following versions of the PIX OS: 5.3(1), 6.0(1) and 6.1(1). And it's free!
Table 1: SSH Clients
|
Company/Client |
SSH Client Description |
URL |
|
*SSH Communications |
SSH Communications allows free downloads of its SSH client to Academia and to individuals for non-commercial use. |
http://commerce.ssh.com/ |
|
Terra Term Pro/SSH |
You can download the free Tera Term Pro SSH v1.x client for the following platforms: Windows 3.1, Windows CE, Windows 95, and Windows NT 4.0. **You can also download The TTSSH security enhancement for Terra Term Pro. |
|
|
OpenSSH for Unix/Linux |
Download the SSH v1.x client for the following platforms: Linux, Solaris, OpenBSD, AIX, IRIX, HP/UX, FreeBSD, and NetBSD. |
|
|
Nifty Telnet for Macintosh |
The Nifty Telnet 1.1 SSH client for the Macintosh. |
Conclusion
SSH is the favored solution to provide secured remote access to your PIX Firewall. The PIX is able to authenticate users by password alone or coupled with the Cisco Secure ACS server for an additional level of assurance and access-control logging.