Home > Articles > Security > Software Security

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend

Configuring PIX to Accept SSH Connections

Our first task is to generate an RSA public/private key pair to use to securely transfer the session key from the server to the client. The hostname and domain-name must be set before the PIX will allow you to generate the key pair.

  1. Assign a hostname and domain name to the PIX. This is required to generate the RSA key set.

    pixfirewall(config)# hostname percival 
    percival(config)# domain-name cisco.com
  2. Generate an RSA Key pair and save the keys to Flash memory.

    percival(config)# ca generate rsa key 2048
    For <key_modulus_size> >= 1024, key generation could
    take up to several minutes. Please wait..........
  3. View your newly created RSA Public Key.

    percival(config)# sh ca mypubkey rsa
    % Key pair was generated at: 15:02:39 May 28 2001
    Key name: percival.cisco.com
    Usage: General Purpose Key
    Key Data:
    30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 
    00b0475a 85bcfce7 91e36431 16c67070 24e4eb09 1b55766c 3588ea87 ba637382 
    8e3455a5 a7f71a8f fcd93f25 2bb95484 668ae92d a2175de3 04605fd0 d84f17e4 
    70569d26 90ff55d9 3cb91b90 ca4102d5 dc3c9cd1 25692aba f5cabae7 4f066459 
    86ecae91 a6e8c032 1e15184d f12f4bf8 18828ca6 6bc61c80 08a1425a 7d767200 
    ae68098f 703a972f 59b92239 ed9ae146 ff4a7ea4 6ae2b527 0486c91a c76bd376 
    3093d024 164e6032 c327d9b9 ed7101c8 73030634 defc0848 78a51d04 6995ad8c 
    5cbdc0b1 e77091e0 283e5881 407b3639 8a90abba fa559e4b 07a769ab 19b020f4 
    ba76301a 09772faa 2920067b be4ca3c0 84e2f7f0 7985eafe 227940e4 c56aea3e 
    23020301 0001
  4. After generating the keys, you must save them to Flash. Failure to perform this step will result in the erasure of the keys at the next reload.

    percival(config)# ca save all
  5. Specify what hosts are allowed to SSH to the PIX and set the SSH inactivity timeout. In this case, you will limit SSH access to a single inside host and kill sessions after one hour of inactivity.

    percival(config)# ssh inside
    percival(config)# ssh timeout 60
  6. Set the enable password and Telnet password. You will be required to enter the Telnet password to authenticate your SSH session.

    percival(config)# enable password hArd2Gue$$
    percival(config)# passwd Ace$$D3n13d


    If you have previously configured a telnet password and enable password, you don't need to change them for SSH to work.

  • + Share This
  • 🔖 Save To Your Account