11-28-2006 07:42 AM - edited 03-09-2019 04:57 PM
Hi!
Obviously, the only user that can access the FWSM by ssh is user "pix". Is it possible to give "pix" privileged rights instantly, when he logs in?
Can i create other users, that are able to login via ssh (couldn't find anything in documentation)?
Thanks.
11-28-2006 08:13 AM
You can always create/add users to access FWSM via telnet (from inside, dmz) or ssh/https (from both inside & outside segments).
username
As for the user 'pix', do you see it configured explicitly or exist in FWSM?
What dictate ssh access is the key generated by FWSM for ssh session (ca generate rsa key
Define who (ip address of allowed workstation) can ssh/telnet/http (for https) into FWSM using "ssh
HTH
AK
11-28-2006 11:49 PM
Hi!
Concerning your second link in your last posting, there's written:
>>>>>>>>>>>>>>>>>>>>>>
Using an SSH Client
To gain access to the FWSM console using SSH, at the SSH client enter the username pix and enter the login password set by the password command (see the "Changing the Login Password" section).
<<<<<<<<<<<<<<<<<<<<<<
So it looks like, that there is only the user "pix" available, that can access the FWSM via ssh. After his login, i can use of course other users with "login"-command to access the FWSM.
But our problem is, that we want to access the FWSM via ssh with a user, that _instantly_ gets privileged access. And this doesn't work with user "pix", because this user can only access the unprivileged mode in the first step. In a second step we either have to type in "enable" and the password _or_ we use a user, we can create with "username...".
Our aim is, to skip the second step, so we can instantly login to FWSM and have privileged rights.
Thanks,
Marco
11-29-2006 01:20 AM
It's possible to have the user 'pix' to get to privilege mode (#) immediately after login. But the condition is, the privilege level must be level 15. Others will not get the direct "#" access.
By default, user will be given privilege level 2.
So, pls check what's the privilege for 'pix'.
If it's priv level 2, then you need to have change it to level 15, or create new user account with priv level 15.
Some sample:
aaa authentication ssh console LOCAL
ssh xx.xx.xx.xx 255.255.255.192 outside
ssh timeout 30
username admin password 2eLai.JSVhhZo2ej encrypted privilege 15
HTH
AK
11-29-2006 02:25 AM
The user "pix" is a built-in user by Cisco, so i can't change its privilege level.
But due to the line "aaa authentication ssh console LOCAL", i now can login to FWSM via ssh with the users, i created on the FWSM. So far so good.
But although i made sure, to give e.g. the user "admin" the highest privileged rights (username admin password XYZ privilege 15), i can't directly access privileged mode. After login i'm just on unprivileged mode (FWSM>) and have to type in "enable", to get to FWSM#.
Hmm.. Can you please test it, if it works on your FWSM? I've got newest FWSM Firewall Version 3.1(3) by the way.
EDIT:
This is the way i can log in:
Linux# ssh admin@a.b.c.d
-> (password)
FWSM> enable
-> (password)
FWSM#
But i would like to log in this way:
Linux# ssh admin@a.b.c.d
-> (password)
FWSM#
Thanks for helping!
Regards,
Marco
11-30-2006 11:46 PM
Any further suggestions how it might work?
12-01-2006 05:25 AM
You can't. The FWSM/PIX/ASA all require you to enter two passwords, it's a security feature.
12-03-2006 07:20 AM
Tested, but still & always require enable password. Added command like 'aaa authorization command LOCAL' did not help as well.
My bet is, this probably because of no 'aaa authorization exec' command available. Unlike in switch/router, this command allow users (with appropriate access rights) to go direct to enable mode either with telnet/ssh.
I think this is a default nature of FWSM (and PIX/ASA as well) as security devices that do not simply allow you to bypass another level of security (which is enable password).
HTH
AK
12-04-2006 12:28 AM
Well, to get into enable mode straightly on a Cisco 6513 Router works without any problem. That's why i guessed, it would work same way on the FWSM as well.
The configuration on the 6513 concerning privilege level:
username abc privilege 15 secret 5 abcd1234
So with username abc i can login via ssh and i'm immediately in enable mode.
So maybe it's indeed a security feature on the FWSM, that just doesn't allow users to get into enable mode directly.
Thanks anyway.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide