topic Re: Secure Shell configuration using local users not working for Firepower version 6.4 in Network Security

Secure Shell configuration using local users not working for Firepower version 6.4

laukik.nahar1 — Wed, 01 Jul 2020 12:40:56 GMT

Dear Friends,

Tried configuring the Secure Shell from Devices->Platform Settings->Secure Shell

Added object with IP address for local Admin user and the interface from where it was taking access.

But the other users are also able to access the CLI using PUTTY.

Please find the attached error message while trying to deploy the policy.

URL followed for reference are -

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200701-Configuration-of-Management-access-to-FT.html

Re: Secure Shell configuration using local users not working for Firepower version 6.4

Marvin Rhoads — Wed, 01 Jul 2020 13:58:23 GMT

You can proceed despite that warning. It's just telling you some part of the platform settings config contains reference to the deprecated protocols.

Re: Secure Shell configuration using local users not working for Firepower version 6.4

laukik.nahar1 — Wed, 01 Jul 2020 16:53:24 GMT

@Marvin Rhoads - The deployment was successful.

But the issue is that, we are able to log (SSH) into the device by users other than those mentioned in Secure Shell tab.

Please find the attached screenshot.

Re: Secure Shell configuration using local users not working for Firepower version 6.4

laukik.nahar1 — Wed, 01 Jul 2020 16:56:24 GMT

Inshort, if the admin's IP address is 192.168.1.100, users other than admin is able to get the SSH and asks for the login prompt.

Re: Secure Shell configuration using local users not working for Firepower version 6.4

Marvin Rhoads — Wed, 01 Jul 2020 17:34:28 GMT

Do you mean users coming from an address other than the defined admin address(es)?

Re: Secure Shell configuration using local users not working for Firepower version 6.4

laukik.nahar1 — Thu, 02 Jul 2020 03:40:47 GMT

Yes exactly...

Re: Secure Shell configuration using local users not working for Firepower version 6.4

Marvin Rhoads — Sun, 05 Jul 2020 11:29:12 GMT

I see the problem. The Platform settings are for ssh access to the data interface(s). See the online help which tells us the following:

If you want to allow SSH connections to one or more data interfaces on the FTD device, configure Secure Shell settings. SSH is not supported to the Diagnostic logical interface. The physical management interface is shared between the Diagnostic logical interface and the Management logical interface. SSH is enabled by default on the Management logical interface; however, this screen does not affect Management SSH access.

The Management logical interface is separate from the other interfaces on the device. It is used to set up and register the device to the Firepower Management Center. SSH for data interfaces shares the internal and external user list with SSH for the Management interface. Other settings are configured separately: for data interfaces, enable SSH and access lists using this screen; SSH traffic for data interfaces uses the regular routing configuration, and not any static routes configured at setup or at the CLI.

For the Management interface, to configure an SSH access list, see the configure ssh-access-list command in the Firepower Threat Defense Command Reference. To configure a static route, see the configure network static-routes command. By default, you configure the default route through the Management interface at initial setup.

I tried the above and confirmed it works.

Re: Secure Shell configuration using local users not working for Firepower version 6.4

laukik.nahar1 — Sun, 05 Jul 2020 13:24:34 GMT

Hi Marvin,

You answer is 100% correct and its really helpful.

Below are the steps to explain it in layman's terms :
On FMC -
Go to System -> Configuration -> Access list and add the IP address(es) for SSH and HTTPS access.
On FTD -
used CLI command "configure ssh-access-list 10.10.10.10/32, 10.10.10.11/32"

Thanks,
L.