Secure Shell (SSH) provides another option for remote management of
the PIX Security Applaince
. SSH provides a
higher degree of security than Telnet, which provides lower-layer encryption
and application security. The PIX supports the SSH remote functionality, which
provides strong authentication and encryption capabilities. SSH, an application
running on top of a reliable transport layer such as TCP, supports logging onto
another computer over a network, executing commands remotely, and moving files
from one host to another.
- SSHv1 server was introduced in the PIX Security Appliance software version
5.2.
- SSHv2 server was introduced in the PIX Security Appliance software version
7.0.
Both ends of an SSH connection are authenticated, and passwords are
protected by being encrypted. Since SSH uses Rivest, Shamir, and Adleman (RSA)
public key cryptography, an Internet encryption and authentication system, an
RSA key pairmust be generated for the PIX Security Appliance before clients can
connect to the PIX console. The PIX must also have an Advanced Encryption
Standard (AES) or Triple-Data Encryption Standard (3DES) activation key.
The PIX Security Appliance allows up to five SSH clients to simultaneously
access the console. Specific hosts or networks that are authorized to initiate
an SSH connection to the PIX can be defined, as well as how long a session can
remain idle before being disconnected.
 |
NOTE:
The PIX Security Appliance SSH implementation provides a secure remote
shell session without IPSec, and only functions as a server, which means that
the PIX cannot initiate SSH connections.
|
The commands shown in Figure
are used
to configure an SSH connection to the PIX Security Appliance. The
configurations steps are covered in the lab activity below.
To establish
an SSH connection to the PIX Security Appliance console, enter the username
pix and the Telnet password at the SSH client. When starting an SSH
session, the PIX displays a dot (.) on the console before the SSH user
authentication prompt appears, as follows:
pixfirewall(config)# .
The display of
the dot does not affect the functionality of SSH. The dot appears at the
console when generating a server key or decrypting a message using private keys
during SSH key exchange before user authentication occurs. These tasks can take
up to two minutes or longer. The dot is a progress indicator that verifies that
the PIX Firewall is busy and has not hung.
In Figure
, an RSA key pair
is generated for the PIX Security Appliance using the default key modulus size
of 1024. Host 172.26.26.50 is authorized to initiate an SSH connection to the
PIX.
Use the show ssh sessions command to list all
active SSH sessions on the PIX Security Appliance
. The
ssh disconnect command enables the administrator to
disconnect a specific session. Use the clear configure ssh
command to remove all ssh command statements from the
configuration, and use the no ssh command to remove
selected ssh command statements. The debug
ssh command displays information and error messages associated with
the ssh command.