SSH to PIX 506 from Linux

worshama · ‎02-04-2003

I have a PIX 506 at a remote location and I attempted to setup ssh access to it from my machine.

Firewall = PIX 506 - 6.1(1)

my machine = RedHat Linux 8.0

ssh client = openssh 3.4p1-2.

The SSH session is failing with the following error.

On the client side:

Received disconnect from [pix ip here]: Invalid message type.

On the PIX side (debug ssh):

315002: Permitted SSH session from [my ip here] on interface outside for user "pix"

315011: SSH session from [my ip here] on interface outside for user "pix" disconnected by SSH server, reason: "Invalid message type" (0x01)

Here is a verbose dump from the client side:

[root@hydrogen virginia]# ssh -c des -v -l pix [pix ip here]

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to [pix ip here] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 1.5, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Local version string SSH-1.5-OpenSSH_3.4p1

debug1: Waiting for server public key.

debug1: Received server public key (768 bits) and host key (2048 bits).

debug1: Host '[pix ip here]' is known and matches the RSA1 host key.

debug1: Found key in /root/.ssh/known_hosts:5

debug1: Encryption type: des

debug1: Sent encrypted session key.

Warning: use of DES is strongly discouraged due to cryptographic weaknesses

debug1: Installing crc compensation attack detector.

debug1: Received encrypted confirmation.

debug1: Doing password authentication.

pix@[pix ip here]'s password:

debug1: Requesting pty.

debug1: Requesting X11 forwarding with authentication spoofing.

Warning: Remote host denied X11 forwarding.

debug1: fd 3 setting TCP_NODELAY

debug1: Requesting shell.

debug1: Entering interactive session.

Received disconnect from [pix ip here]: Invalid message type

debug1: Calling cleanup 0x8053120(0x0)

debug1: Calling cleanup 0x80674b0(0x0)

steve.barlow · ‎02-04-2003

The PIX can only support SSH version 1.x. Looks like your client is running v3.4, try using version 1.x and see what happens.

Also confirm that your config is something like below:

hostname xxxx

domain-name xxxx

ca generate rsa key 1024

ca save all

ssh 10.10.10.10 255.255.255.255 outside

ssh timeout 60

Hope it helps.

Steve

steve.barlow · ‎02-04-2003

The PIX can only support SSH version 1.x. Looks like your client is running v3.4, try using version 1.x and see what happens.

Also confirm that your config is something like below:

hostname xxxx

domain-name xxxx

ca generate rsa key 1024

ca save all

ssh 10.10.10.10 255.255.255.255 outside

ssh timeout 60

Hope it helps.

Steve

ods · ‎02-05-2003

You should probably set:

X11Forwarding no

or just comment it:

#X11Forwarding no

in your /etc/ssh/ssh_config file. Cisco SSH implementation do not support X11 forwarding, since no X11 is implemented.

This is not an OpenSSH default setting you are using, so you might want to check further settings in your SSH configuration file link EscapeChar...

worshama · ‎02-06-2003

X11Forwarding was the ticket. Then again it also helped knowing the PIX only supports SSH 1.

For anyone else in the same situation, use these settings:

/etc/ssh/ssh_config change X11Forwarding to no

# ssh -v -c des -l pix -1 [pix ip address]