PIX Security Appliance Management
Managing SSH access

Secure Shell (SSH) provides another option for remote management of the PIX Security Applaince . SSH provides a higher degree of security than Telnet, which provides lower-layer encryption and application security. The PIX supports the SSH remote functionality, which provides strong authentication and encryption capabilities. SSH, an application running on top of a reliable transport layer such as TCP, supports logging onto another computer over a network, executing commands remotely, and moving files from one host to another.

  • SSHv1 server was introduced in the PIX Security Appliance software version 5.2.
  • SSHv2 server was introduced in the PIX Security Appliance software version 7.0.

Both ends of an SSH connection are authenticated, and passwords are protected by being encrypted. Since SSH uses Rivest, Shamir, and Adleman (RSA) public key cryptography, an Internet encryption and authentication system, an RSA key pairmust be generated for the PIX Security Appliance before clients can connect to the PIX console. The PIX must also have an Advanced Encryption Standard (AES) or Triple-Data Encryption Standard (3DES) activation key.

The PIX Security Appliance allows up to five SSH clients to simultaneously access the console. Specific hosts or networks that are authorized to initiate an SSH connection to the PIX can be defined, as well as how long a session can remain idle before being disconnected.

NOTE:

The PIX Security Appliance SSH implementation provides a secure remote shell session without IPSec, and only functions as a server, which means that the PIX cannot initiate SSH connections.

The commands shown in Figure are used to configure an SSH connection to the PIX Security Appliance. The configurations steps are covered in the lab activity below.

To establish an SSH connection to the PIX Security Appliance console, enter the username pix and the Telnet password at the SSH client. When starting an SSH session, the PIX displays a dot (.) on the console before the SSH user authentication prompt appears, as follows:

pixfirewall(config)# .

The display of the dot does not affect the functionality of SSH. The dot appears at the console when generating a server key or decrypting a message using private keys during SSH key exchange before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the PIX Firewall is busy and has not hung.

In Figure , an RSA key pair is generated for the PIX Security Appliance using the default key modulus size of 1024. Host 172.26.26.50 is authorized to initiate an SSH connection to the PIX.

Use the show ssh sessions command to list all active SSH sessions on the PIX Security Appliance . The ssh disconnect command enables the administrator to disconnect a specific session. Use the clear configure ssh command to remove all ssh command statements from the configuration, and use the no ssh command to remove selected ssh command statements. The debug ssh command displays information and error messages associated with the ssh command.


Interactive Media Activity

Demonstration Activity: Configuring SSH Access on the PIX Security Appliance

In this activity, students will learn about how to configure SSH access on the PIX Security Appliance.