Re: Giving user "pix" immediately privileged rights?

cco1 · ‎11-28-2006

Hi!

Obviously, the only user that can access the FWSM by ssh is user "pix". Is it possible to give "pix" privileged rights instantly, when he logs in?

Can i create other users, that are able to login via ssh (couldn't find anything in documentation)?

Thanks.

a.kiprawih · ‎11-28-2006

You can always create/add users to access FWSM via telnet (from inside, dmz) or ssh/https (from both inside & outside segments).

username password privilege <0-15>

As for the user 'pix', do you see it configured explicitly or exist in FWSM?

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577bde.html#wp1062044

What dictate ssh access is the key generated by FWSM for ssh session (ca generate rsa key ), i.e ca generate rsa key 1024, plus hostname and domain-name entries.

Define who (ip address of allowed workstation) can ssh/telnet/http (for https) into FWSM using "ssh ", i.e ssh 10.10.10.10 255.255.255.255 outside to allow 10.10.10.10 ssh into FWSM.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802010bb.html#wp1141517

HTH

AK

cco1 · ‎11-28-2006

Hi!

Concerning your second link in your last posting, there's written:

>>>>>>>>>>>>>>>>>>>>>>

Using an SSH Client

To gain access to the FWSM console using SSH, at the SSH client enter the username pix and enter the login password set by the password command (see the "Changing the Login Password" section).

<<<<<<<<<<<<<<<<<<<<<<

So it looks like, that there is only the user "pix" available, that can access the FWSM via ssh. After his login, i can use of course other users with "login"-command to access the FWSM.

But our problem is, that we want to access the FWSM via ssh with a user, that _instantly_ gets privileged access. And this doesn't work with user "pix", because this user can only access the unprivileged mode in the first step. In a second step we either have to type in "enable" and the password _or_ we use a user, we can create with "username...".

Our aim is, to skip the second step, so we can instantly login to FWSM and have privileged rights.

Thanks,

Marco

a.kiprawih · ‎11-29-2006

It's possible to have the user 'pix' to get to privilege mode (#) immediately after login. But the condition is, the privilege level must be level 15. Others will not get the direct "#" access.

By default, user will be given privilege level 2.

So, pls check what's the privilege for 'pix'.

If it's priv level 2, then you need to have change it to level 15, or create new user account with priv level 15.

Some sample:

aaa authentication ssh console LOCAL

ssh xx.xx.xx.xx 255.255.255.192 outside

ssh timeout 30

username admin password 2eLai.JSVhhZo2ej encrypted privilege 15

HTH

AK

cco1 · ‎11-29-2006

The user "pix" is a built-in user by Cisco, so i can't change its privilege level.

But due to the line "aaa authentication ssh console LOCAL", i now can login to FWSM via ssh with the users, i created on the FWSM. So far so good.

But although i made sure, to give e.g. the user "admin" the highest privileged rights (username admin password XYZ privilege 15), i can't directly access privileged mode. After login i'm just on unprivileged mode (FWSM>) and have to type in "enable", to get to FWSM#.

Hmm.. Can you please test it, if it works on your FWSM? I've got newest FWSM Firewall Version 3.1(3) by the way.

EDIT:

This is the way i can log in:

Linux# ssh admin@a.b.c.d

-> (password)

FWSM> enable

-> (password)

FWSM#

But i would like to log in this way:

Linux# ssh admin@a.b.c.d

-> (password)

FWSM#

Thanks for helping!

Regards,

Marco

cco1 · ‎11-30-2006

Any further suggestions how it might work?

Collin Clark · ‎12-01-2006

You can't. The FWSM/PIX/ASA all require you to enter two passwords, it's a security feature.

a.kiprawih · ‎12-03-2006

Tested, but still & always require enable password. Added command like 'aaa authorization command LOCAL' did not help as well.

My bet is, this probably because of no 'aaa authorization exec' command available. Unlike in switch/router, this command allow users (with appropriate access rights) to go direct to enable mode either with telnet/ssh.

I think this is a default nature of FWSM (and PIX/ASA as well) as security devices that do not simply allow you to bypass another level of security (which is enable password).

HTH

AK

cco1 · ‎12-04-2006

Well, to get into enable mode straightly on a Cisco 6513 Router works without any problem. That's why i guessed, it would work same way on the FWSM as well.

The configuration on the 6513 concerning privilege level:

username abc privilege 15 secret 5 abcd1234

So with username abc i can login via ssh and i'm immediately in enable mode.

So maybe it's indeed a security feature on the FWSM, that just doesn't allow users to get into enable mode directly.

Thanks anyway.