Enabling ssh on a Cisco ASA
Created a local user name and password and enable ssh:
username romeo password Cisco123! ssh 10.10.1.0 255.255.255.0 outside
Enabled ssh debugging with the command “debug ssh” and received the following debug
ASA# Device ssh opened successfully. SSH0: SSH client: IP = '10.10.1.27' interface # = 1 SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH SSH0: Session disconnected by SSH server - error 0x00 "Internal error" ASA#
Issued the following command to generate a key:
ASA(config)# crypto key generate rsa INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... ASA(config)#
Got a connection with the following debugging lines:
Device ssh opened successfully. SSH0: SSH client: IP = '10.10.1.27' interface # = 1 SSH: host key initialised SSH: license supports 3DES: 2 SSH: license supports DES: 2 SSH0: starting SSH control process SSH0: Exchanging versions - SSH-1.99-Cisco-1.25 SSH0: send SSH message: outdata is NULL server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83) SSH0: client version is - SSH-2.0-PuTTY_Release_0.60 client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 3030 ms SSH2 0: SSH2_MSG_KEXINIT sent SSH2 0: SSH2_MSG_KEXINIT received SSH2: kex: client->server aes256-cbc hmac-sha1 none SSH2: kex: server->client aes256-cbc hmac-sha1 none SSH2 0: expecting SSH2_MSG_KEXDH_INIT SSH2 0: SSH2_MSG_KEXDH_INIT received SSH2 0: signature length 143 SSH2: kex_derive_keys complete SSH2 0: newkeys: mode 1 SSH2 0: SSH2_MSG_NEWKEYS sent SSH2 0: waiting for SSH2_MSG_NEWKEYS SSH2 0: newkeys: mode 0 SSH2 0: SSH2_MSG_NEWKEYS received
Typed in an existing username / password that is on the ASA already, got access denied. Debugging shows:
SSH(romeo): user authen method is 'no AAA', aaa server group ID = 0 SSH2 0: authentication failed for romeo
AAA method setup
ASA(config)# aaa authentication ssh console LOCAL
Login successfully. Here is the debug log for a successful connection:
SSH(romeo): user authen method is 'use AAA', aaa server group ID = 1 SSH2 0: authentication successful for romeo SSH2 0: channel open request SSH2 0: pty-req request SSH2 0: requested tty: xterm, height 24, width 80 SSH2 0: shell request SSH2 0: shell message received