Posts Tagged ‘Security’

Enabling ssh on a Cisco ASA

August 20th, 2005 No comments

Created a local user name and password and enable ssh:

username romeo password Cisco123!
ssh outside


Enabled ssh debugging with the command “debug ssh” and received the following debug

ASA# Device ssh opened successfully.
SSH0: SSH client: IP = ''  interface # = 1
SSH: unable to retrieve default host public key.  Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"


Issued the following command to generate a key:

ASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...


Got a connection with the following debugging lines:

Device ssh opened successfully.
SSH0: SSH client: IP = ''  interface # = 1
SSH: host key initialised
SSH: license supports 3DES: 2
SSH: license supports DES: 2
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25
SSH0: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Release_0.60
client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 3030 ms
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS received


Typed in an existing username / password that is on the ASA already, got access denied. Debugging shows:

SSH(romeo): user authen method is 'no AAA', aaa server group ID = 0
SSH2 0: authentication failed for romeo


AAA method setup

ASA(config)# aaa authentication ssh console LOCAL


Login successfully. Here is the debug log for a successful connection:

SSH(romeo): user authen method is 'use AAA', aaa server group ID = 1
SSH2 0: authentication successful for romeo
SSH2 0: channel open request
SSH2 0: pty-req request
SSH2 0: requested tty: xterm, height 24, width 80
SSH2 0: shell request
SSH2 0: shell message received


Enabling SSH on Cisco PIX 6.3

February 15th, 2005 No comments

To enable SSH on Cisco PIX 6.3;

Clear all RSA keys. Remove any existing keys from the database with the command:

ca zeroize rsa


Assign a host name



Assigning a domain name

domain testlab.local


Generate the RSA key

ca generate rsa key 512


Save the RSA key

ca save all


Enable SSH

ssh outside