Configure SSH2 on Cisco ASA?

Unanswered Question
Feb 25th, 2008

Hi, on my ASA I have added the following for SSH2, but what do I need to do next?

ip domain name

IP SSH version 2

crypto key generate rsa

When I log it says it needs a username and password. I have a level 15 username and password that I use for the ASDM should this work as it does'nt or do I need to do something else?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rajbhatt Mon, 02/25/2008 - 02:50


For ssh access

crypto key gen rsa 1024

ssh ip addrress x.x.x.x inside

If u have not configured AAA then default username would be pix and the first(telnet) password will be cisco

Enable password by default is blank

Else configure the username and password for AAA


whiteford Mon, 02/25/2008 - 03:19


crypto key gen rsa 1024 doesn't work but crypto key gen rsa does, how do I choose 1024?

I know crypto key gen rsa 1024 works on routers though

alanajjar Mon, 02/25/2008 - 03:07


correct. also you can use local authentication to authenticate ssh, by using

aaa authentication ssh default LOCAL

then define username and password locally on the ASA, and use them for ssh authentication.

whiteford Mon, 02/25/2008 - 03:23


When I type:

aaa authentication ssh default LOCAL it does like "defult" if I type:

aaa authentication ssh console LOCAL

It says the group local doesn't exist?

alanajjar Mon, 02/25/2008 - 04:25


use the command

aaa authentication ssh console LOCAL

the LOCAL word must be upper case letters. this group is defined on the ASA by default, there should by a command like this in the ASA :

aaa server LOCAL protocol local


whiteford Mon, 02/25/2008 - 05:56

Hi, this worked!

1.) aaa authentication ssh console LOCAL

I just used the same username and password I use for the ASDM and I got in to the CLI.


aaa server LOCAL protocol local

Doesn't appear, all I see is:

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS host server1

key 1234

aaa-server RADIUS host server2

key 1234

2.) Is the crypto key automoatically using 1024 as I didn't let me add that after the rsa.

3.) should the keys be encrypted? key 1234 is in clear text.


alanajjar Mon, 02/25/2008 - 22:19


Good news to hear its workrd.

1) regarding local authentication its enabled by default, dont worry about that command.

2) if you generate rsa key without specifing its size, the default size is 1024. You can specify other modulus sizes by using modulus keyword :

crypto key generate rsa modulus modulus_size

3) the key in this command cannot be encrypted


onlyabhishek007 Fri, 03/07/2008 - 00:33

when u use the ssh from the inside or outside then it ask the username if u did not configure the username then pix is the user name and passwd command provide the password for the authentication.


This Discussion