Passwordless SSH authentication on a PIX

Answered Question
Mar 7th, 2007
User Badges:

I'm looking to set up passwordless SSH authentication so a Solaris client can run a script to log on to a PIX and retrieve the configuration.

Has anyone succesfully achieved passwordless SSH authentication on a PIX or know whether the device supports it or not?

Many Thanks, Dom

Correct Answer by suschoud about 10 years 3 months ago

that is vaguely correct.


here are the details :


Security506E-6.x(config)# sh aaa

aaa proxy-limit 16

aaa authentication ssh console SecurityACS1111 LOCAL

aaa authentication http console SecurityACS1111 LOCAL

aaa authentication telnet console SecurityACS1111 LOCAL

aaa authentication enable console SecurityACS1111 LOCAL

aaa authorization command LOCAL




now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.



if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.



if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.


dafault settings :


username : pix


telnet password: whatever password you have set using the command :


password



enable password :


whatever password you have set using :


enable password



please rate if this helps!!


Sushil

cisco tac.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
suschoud Wed, 03/07/2007 - 07:07
User Badges:
  • Gold, 750 points or more

hi d,


i am not sure but i think it's not possible.

when you do "ssh " to the firewall,you need to provide the telnet password first and then at the enable prompt,the enable password.


now,you can set the enable password to be blank by putting the command :


pix(config)#enable password


but as far as telnet password is concerned,by default it's " cisco " and there's no way that we could remove this.


there should be a telnet password in the firewall.


so,if the script gives you the option to setup a password,you could retrieve the configuration.


please rate if this helps!!


Sushil

Cisco TAC.

d-fillmore Wed, 03/07/2007 - 07:14
User Badges:

Thanks for that Sushil.

So the telnet password is the same one that is used for SSH authentication?


Correct Answer
suschoud Wed, 03/07/2007 - 07:21
User Badges:
  • Gold, 750 points or more

that is vaguely correct.


here are the details :


Security506E-6.x(config)# sh aaa

aaa proxy-limit 16

aaa authentication ssh console SecurityACS1111 LOCAL

aaa authentication http console SecurityACS1111 LOCAL

aaa authentication telnet console SecurityACS1111 LOCAL

aaa authentication enable console SecurityACS1111 LOCAL

aaa authorization command LOCAL




now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.



if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.



if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.


dafault settings :


username : pix


telnet password: whatever password you have set using the command :


password



enable password :


whatever password you have set using :


enable password



please rate if this helps!!


Sushil

cisco tac.



suschoud Wed, 03/07/2007 - 08:02
User Badges:
  • Gold, 750 points or more

no problem D.


Pleasure is all mine


Have a good day.

Actions

This Discussion