Passwordless SSH authentication on a PIX

Answered Question
Mar 7th, 2007

I'm looking to set up passwordless SSH authentication so a Solaris client can run a script to log on to a PIX and retrieve the configuration.

Has anyone succesfully achieved passwordless SSH authentication on a PIX or know whether the device supports it or not?

Many Thanks, Dom

I have this problem too.
0 votes
Correct Answer by suschoud about 9 years 9 months ago

that is vaguely correct.

here are the details :

Security506E-6.x(config)# sh aaa

aaa proxy-limit 16

aaa authentication ssh console SecurityACS1111 LOCAL

aaa authentication http console SecurityACS1111 LOCAL

aaa authentication telnet console SecurityACS1111 LOCAL

aaa authentication enable console SecurityACS1111 LOCAL

aaa authorization command LOCAL

now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.

if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.

if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.

dafault settings :

username : pix

telnet password: whatever password you have set using the command :

password

enable password :

whatever password you have set using :

enable password

please rate if this helps!!

Sushil

cisco tac.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
suschoud Wed, 03/07/2007 - 07:07

hi d,

i am not sure but i think it's not possible.

when you do "ssh " to the firewall,you need to provide the telnet password first and then at the enable prompt,the enable password.

now,you can set the enable password to be blank by putting the command :

pix(config)#enable password

but as far as telnet password is concerned,by default it's " cisco " and there's no way that we could remove this.

there should be a telnet password in the firewall.

so,if the script gives you the option to setup a password,you could retrieve the configuration.

please rate if this helps!!

Sushil

Cisco TAC.

d-fillmore Wed, 03/07/2007 - 07:14

Thanks for that Sushil.

So the telnet password is the same one that is used for SSH authentication?

Correct Answer
suschoud Wed, 03/07/2007 - 07:21

that is vaguely correct.

here are the details :

Security506E-6.x(config)# sh aaa

aaa proxy-limit 16

aaa authentication ssh console SecurityACS1111 LOCAL

aaa authentication http console SecurityACS1111 LOCAL

aaa authentication telnet console SecurityACS1111 LOCAL

aaa authentication enable console SecurityACS1111 LOCAL

aaa authorization command LOCAL

now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.

if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.

if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.

dafault settings :

username : pix

telnet password: whatever password you have set using the command :

password

enable password :

whatever password you have set using :

enable password

please rate if this helps!!

Sushil

cisco tac.

Actions

This Discussion