Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ssh for IDSM

Did any body figure out how to implemet ssh for IDSM. I created a direct-access and I generated a key. After that I am a little lost. I was able to telnet to port 22 but can't make a connection. I think I am missing something.

4 REPLIES
Cisco Employee

Re: ssh for IDSM

Connections to the IDSM using ssh are not supported in the released version 3.0(4)S20 or earlier.

IDSM 3.0(4)S20 the managed daemon can connect through an SSH client to PIX Firewalls in order to shun/block ip addresses on the PIX.

In other words, IDSM has an ssh client (used by managed), but does not have an ssh server.

The ssh server on the IDSM has been requested, and is being considered for future release. Keep an eye out for the possible release of ssh server support on a future version of the IDSM.

New Member

Re: ssh for IDSM

I think you are wrong since there is a version 3.0(5)S23 and in the readme file it states that you can ssh directly to IDSM blade. Here is the location of readme file http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/13726_04.htm. I just can't find documentation how to implement it

Cisco Employee

Re: ssh for IDSM

I hadn't received the Active Update Bulletin yet so I thought it was still a day or two before release. They posted it earlier than I expected.

To enable the ssh server on the IDSM try going into "configure terminal" mode and executing "direct-access".

Ensure that your client address/network is listed in the access-list and answer yes to the question:

Enabled direct SSH access to IDSM? [yes]:

If you are not able to access the IDSM through SSH after this point then "reboot" the IDSM and try again.

If you are still not able to SSH then also enable Telnet and attempt to telnet to the IDSM.

If telnet doesn't work either then ensure that the ip's in the access-list are correct. If going through NAT you may need to enter the translated address.

If telnet works, but ssh still doesn't work then at least we know that the ip address entries are correct. Can you try another ssh client? There may be a ssh client/server incompatability that we may not be aware of.

If you still can't get it to work then contact the TAC and supply them with the htmlf file output of the "report systemstatus" command as well as the OS type SSH Client version and ip address that you are trying to ssh from.

Marco

New Member

Re: ssh for IDSM

It is very important to note that the ssh server in IDS 3.0(5)S23 supports only SSH protocol version 1.5. Many ssh clients will negotiate down to this version from SSH protocol version 2, but some will not. OpenSSH-3.4p1 for example will negotiate down only if the "Protocol 2,1" option is set (this is the default). If your default is something else, you can override it a number of ways. The most reliable is to add

-o "Protocol 1"

to the ssh command line. For example:

ssh -l ciscoids -o "Protocol 1" 10.10.10.10

A convenient way to specify this on a per-user and/or per-host basis is to add this option to the Hosts section of the ssh_config file.

SSH.com's ssh client (ssh-3.x.x) will also accept options on the command line using the "-o" parameter. Windows clients (such as PuTTY and SecureCRT) have a GUI for configuring session options.

The secure shell implementations for the Unix-like operating systems use "ssh" as the name of the executable for the client. To learn what implementation you are using, enter the command:

ssh -V

A helpful hint is to operate your ssh client in "verbose" mode. For example, with OpenSSH and SSH.com clients use:

ssh -v -l ciscoids 10.10.10.10

Often this will help you understand why your client is not connecting. An adjustment to the client configuration is normally all that is required to successfully connect.

96
Views
0
Helpful
4
Replies
CreatePlease to create content