02-04-2003 08:25 AM - edited 02-20-2020 10:32 PM
I have a PIX 506 at a remote location and I attempted to setup ssh access to it from my machine.
Firewall = PIX 506 - 6.1(1)
my machine = RedHat Linux 8.0
ssh client = openssh 3.4p1-2.
The SSH session is failing with the following error.
On the client side:
Received disconnect from [pix ip here]: Invalid message type.
On the PIX side (debug ssh):
315002: Permitted SSH session from [my ip here] on interface outside for user "pix"
315011: SSH session from [my ip here] on interface outside for user "pix" disconnected by SSH server, reason: "Invalid message type" (0x01)
Here is a verbose dump from the client side:
[root@hydrogen virginia]# ssh -c des -v -l pix [pix ip here]
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to [pix ip here] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.5, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Local version string SSH-1.5-OpenSSH_3.4p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (2048 bits).
debug1: Host '[pix ip here]' is known and matches the RSA1 host key.
debug1: Found key in /root/.ssh/known_hosts:5
debug1: Encryption type: des
debug1: Sent encrypted session key.
Warning: use of DES is strongly discouraged due to cryptographic weaknesses
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
pix@[pix ip here]'s password:
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
Warning: Remote host denied X11 forwarding.
debug1: fd 3 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Received disconnect from [pix ip here]: Invalid message type
debug1: Calling cleanup 0x8053120(0x0)
debug1: Calling cleanup 0x80674b0(0x0)
02-04-2003 11:10 AM
The PIX can only support SSH version 1.x. Looks like your client is running v3.4, try using version 1.x and see what happens.
Also confirm that your config is something like below:
hostname xxxx
domain-name xxxx
ca generate rsa key 1024
ca save all
ssh 10.10.10.10 255.255.255.255 outside
ssh timeout 60
Hope it helps.
Steve
02-04-2003 11:11 AM
The PIX can only support SSH version 1.x. Looks like your client is running v3.4, try using version 1.x and see what happens.
Also confirm that your config is something like below:
hostname xxxx
domain-name xxxx
ca generate rsa key 1024
ca save all
ssh 10.10.10.10 255.255.255.255 outside
ssh timeout 60
Hope it helps.
Steve
02-05-2003 02:32 PM
You should probably set:
X11Forwarding no
or just comment it:
#X11Forwarding no
in your /etc/ssh/ssh_config file. Cisco SSH implementation do not support X11 forwarding, since no X11 is implemented.
This is not an OpenSSH default setting you are using, so you might want to check further settings in your SSH configuration file link EscapeChar...
02-06-2003 07:41 AM
X11Forwarding was the ticket. Then again it also helped knowing the PIX only supports SSH 1.
For anyone else in the same situation, use these settings:
/etc/ssh/ssh_config change X11Forwarding to no
# ssh -v -c des -l pix -1 [pix ip address]
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: