Solved: Passwordless SSH authentication on a PIX

d-fillmore · ‎03-07-2007

I'm looking to set up passwordless SSH authentication so a Solaris client can run a script to log on to a PIX and retrieve the configuration.

Has anyone succesfully achieved passwordless SSH authentication on a PIX or know whether the device supports it or not?

Many Thanks, Dom

suschoud · ‎03-07-2007

that is vaguely correct.

here are the details :

Security506E-6.x(config)# sh aaa

aaa proxy-limit 16

aaa authentication ssh console SecurityACS1111 LOCAL

aaa authentication http console SecurityACS1111 LOCAL

aaa authentication telnet console SecurityACS1111 LOCAL

aaa authentication enable console SecurityACS1111 LOCAL

aaa authorization command LOCAL

now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.

if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.

if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.

dafault settings :

username : pix

telnet password: whatever password you have set using the command :

password

enable password :

whatever password you have set using :

enable password

please rate if this helps!!

Sushil

cisco tac.

View solution in original post

suschoud · ‎03-07-2007

hi d,

i am not sure but i think it's not possible.

when you do "ssh " to the firewall,you need to provide the telnet password first and then at the enable prompt,the enable password.

now,you can set the enable password to be blank by putting the command :

pix(config)#enable password

but as far as telnet password is concerned,by default it's " cisco " and there's no way that we could remove this.

there should be a telnet password in the firewall.

so,if the script gives you the option to setup a password,you could retrieve the configuration.

please rate if this helps!!

Sushil

Cisco TAC.

d-fillmore · ‎03-07-2007

Thanks for that Sushil.

So the telnet password is the same one that is used for SSH authentication?

suschoud · ‎03-07-2007

that is vaguely correct.

here are the details :

Security506E-6.x(config)# sh aaa

aaa proxy-limit 16

aaa authentication ssh console SecurityACS1111 LOCAL

aaa authentication http console SecurityACS1111 LOCAL

aaa authentication telnet console SecurityACS1111 LOCAL

aaa authentication enable console SecurityACS1111 LOCAL

aaa authorization command LOCAL

now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.

if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.

if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.

dafault settings :

username : pix

telnet password: whatever password you have set using the command :

password

enable password :

whatever password you have set using :

enable password

please rate if this helps!!

Sushil

cisco tac.

d-fillmore · ‎03-07-2007

Thanks for that Sushil =]

suschoud · ‎03-07-2007

no problem D.

Pleasure is all mine

Have a good day.

jannataljabri · ‎05-15-2020