Enabling SSH Access
In adjustment for the PIX to acquire SSH connections, you charge aboriginal accredit SSH.
Before you can use SSH, you charge to accomplish an RSA key set.This RSA key
is beatific to the SSH server by the applicant to encrypt the affair key. Do the
following:
1. To accomplish the RSA key, the aboriginal footfall is to accredit a hostname and a
domain name to the PIX:
PIX1(config)# hostname PIX1
PIX1(config)# domain-name SecureCorp.com
2. Once you accept completed allotment the hostname and the domain
name, you charge to accomplish the RSA key brace (one accessible key, and one
private key) and save them to beam memory.The command to generate
the brace of keys is:
ca accomplish rsa key
Cisco recommends 1024 $.25 for the modulus.This reflects RSA
Security’s own recommendations of appliance a key of 1024 $.25 for corporate
use and 2048 $.25 for admired keys.The beyond the key, the best it
will booty to accomplish the key and the best it will booty to able it.The
actual command for this archetype is as follows:
PIX1(config)# ca accomplish rsa key 2048
For
several minutes. Please wait.
3. Once the bearing action has completed, you can appearance the new RSA
public key by entering the afterward command:
PIX1(config)# appearance ca mypubkey rsa
% Key brace was generated at: 13:13:04 UTC Aug 1 2002
Key name: PIX1.SecureCorp.com
Usage: General Purpose Key
Key Data:
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101
00b92dfe ac9a3fd1 f3c0bfd7 6920b498 b2722dbe d9aa8d4c f0bf0c0c
a5bf1d3f
www.syngress.com
Configuring System Management • Chapter 6 307
<<>>
% Key brace was generated at: 13:47:47 UTC Aug 10 2002
Key name: PIX1.SecureCorp.com.server
Usage: Encryption Key
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00c150ba
b244378c
<<>>
NOTE
If an RSA key is already adored on the PIX, you will be asked to remove
the absolute key. This is calmly able with the ca zeroize rsa
command. This command clears the absolute RSA key and allows you
to accomplish a new RSA key set.
4. With the RSA key brace generated, you charge to save it to beam appliance this
command:
PIX501(config)# ca save all
5. Now you can configure the PIX for the accustomed hosts or subnets that
can be SSH audience to the firewall.You additionally can set the SSH inactivity
timeout at this point.The architecture to acquiesce SSH admission is:
ssh
If netmask is not specified, it is affected to be 255.255.255.255;
if interface is not specified, it is affected to be the central interface. In
the afterward example, ip_address is 192.168.50.0 and netmask is
255.255.255.0.This allows the absolute 192.168.50.0/24 subnet ambit SSH
access to the PIX.The interface constant specifies the name of the interface
on which this subnet resides. In this case, it is the central interface.
PIX1(config)# ssh 192.168.50.0 255.255.255.0 inside
6. By default, the PIX will abstract an SSH affair afterwards 5 account of
inactivity.We can set the cessation abeyance amid 1 and 60 minutes.
To set the cessation abeyance to 10 minutes, use the afterward command:
PIX1(config)# ssh abeyance 10
www.syngress.com
308 Chapter 6 • Configuring System Management
7. Finally, we charge to save the changes to flash:
PIX1# abode memory
To verify the SSH configuration, use the appearance ssh command in Accredit mode.
To admission the PIX firewall, you charge to configure an SSH client. In this
example, we use a accepted Windows SSH client,Tera Term.Tera Term and SSH
Extensions can be downloaded from www.zip.com.au/~roca/ttssh.html. First,
install Tera Term.When Tera Term is installed, chase the admonition in the
Readme book to install the SSH extensions into the basis agenda for Tera Term.
Once the SSH extensions are installed, you charge to specify an ssh_known_hosts
file. Figure 6.4 shows area to acquisition the SSH bureaucracy card in Tera Term.
When you bang the SSH card item, you will see a chat box (see Figure
6.5) that has two items that charge to be configured.The aboriginal account is the preferred
cipher order. In this configuration, DES is configured to be aboriginal back this particular
PIX firewall does not accept 3DES enabled.
www.syngress.com
Figure 6.4 Configuring SSH in Tera Term
Figure 6.5 Selection of Ciphers in Tera Term SSH
Configuring System Management • Chapter 6 309
The additional account to configure is the ssh_known_hosts file, as apparent in Figure
6.6.This can be a bare argument book to which Tera Term will add accepted hosts and
keys.
When you alpha Tera Term, a chat box opens (see Figure 6.7).You charge to
type in the IP abode of the PIX firewall and accept the blazon of account by
clicking a radio button.The absence account is Telnet, so accomplish abiding that you select
SSH and again bang OK.
After a moment, you will be presented with the abutting screen, apparent in
Figure 6.8.
www.syngress.com
Figure 6.6 Configuring the ssh_known_hosts.txt File
Figure 6.7 Configuring a New Affiliation in Tera Term
Figure 6.8 SSH Authentication
310 Chapter 6 • Configuring System Management
The absence username for a Cisco PIX SSH affiliation that is not appliance AAA
for affidavit is pix.The passphrase is the countersign that is acclimated for Telnet.
Once the username and passphrase are authenticated, your SSH affair will start.
This affidavit can booty a few moments, so be able to delay a bit. Figure
6.9 shows the completed SSH affiliation to the Cisco PIX. A baby figure in the
upper-left bend of Tera Term shows that you accept an SSH connection.
To configure Tera Term to automatically use SSH and a assertive IP address,
first configure Tera Term with the actual encryption, awning colors, and other
settings and again save the bureaucracy with a name of your best by beat Bureaucracy |
Save Setup, as apparent in Figure 6.10.
Once that action is completed, actualize a adjustment to the Tera Term application.
Right-click the adjustment that you aloof fabricated and accept Properties in the
dialog box.The Ambition access band will appearance area Tera Term is amid and any
www.syngress.com
Figure 6.9 Verifying the SSH Connection
Figure 6.10 Saving the Tera Term Configuration
Configuring System Management • Chapter 6 311
parameters with which Tera Term will start. Add two items to the parameters.The
first one is the IP abode of the PIX firewall and the additional is the /F switch,
which will acquiesce you to specify the ini book that you adored in the above-mentioned step.You
need to specify the aisle for the /F switch, as apparent in Figure 6.11. Bang OK
and you are set.The abutting time you alpha Tera Term with this shortcut, it will load
the adored .ini book and automatically affix to the ambition host.