topic Re: Disable default "pix" account on PIX Firewall in Network Security

Disable default "pix" account on PIX Firewall

matt.austin — Fri, 21 Feb 2020 08:06:16 GMT

Can anyone tell me how to go about removing or disabling the default "pix" account that is hidden and on the PIX device?

Re: Disable default "pix" account on PIX Firewall

nkhawaja — Mon, 25 Apr 2005 18:22:40 GMT

not sure on this, but you can turn on AAA and use ACS or other AAA server or local user database

Re: Disable default "pix" account on PIX Firewall

bphan — Tue, 26 Apr 2005 06:43:11 GMT

To add to what Nadeem said, when you use AAA authentication, whether with local or remote auth protocol (RAIDIUS/TACACS+) as your authentication for ssh authentication, it overwrites the default 'pix'/enable password authentication.

In other words, with

aaa authentication console ssh LOCAL

aaa authentication console ssh

You would be still be prompted for username/password but you will enter your the username on local PIX or RADIUS/TACACS+ database and password to login via SSH.

Hope that helps.

Thanks,

Binh

Re: Disable default "pix" account on PIX Firewall

matt.austin — Tue, 26 Apr 2005 10:57:15 GMT

Well, I have enabled SSH on the outside interface, but if someone were to know our passwords, they would still be able to login with the ID of pix, with whatever we were to set our password to. The thing is, I would like to set that id to a priv. level that enables it to do nothing, basically, but since the ID is hidden, I can't do that either, unless I use AAA, which I don't want to on our Security equipment, as too many people have admin access to the ACS, and have the ability to alter the NAR's if they want. I am going to see about opening a TAC case on this. I appreciate your "fix", as I know it will work for this, but it is just something that I am not wanting to use in this particular case! I'll post if I hear any other information from TAC.

Re: Disable default "pix" account on PIX Firewall

pkapoor — Tue, 26 Apr 2005 12:49:11 GMT

No way to get rid of the "pix" default account.

Re: Disable default "pix" account on PIX Firewall

pkapoor — Tue, 26 Apr 2005 12:49:53 GMT

No way to get rid of the "pix" default account (unless Cisco has come up with something on 7.x OS version).

Re: Disable default "pix" account on PIX Firewall

matt.austin — Tue, 26 Apr 2005 15:42:13 GMT

Kind of what I was thinking, especially since it isn't documented anywhere. I opened a TAC case, so I will post what they state.

Thanks,

Matt

Re: Disable default "pix" account on PIX Firewall

pkapoor — Tue, 26 Apr 2005 16:39:38 GMT

They will give you the same answer. But if any different, please let us know.

(I used to work at Cisco TAC - PIX Firewalls & VPN)

Re: Disable default "pix" account on PIX Firewall

matt.austin — Tue, 26 Apr 2005 19:23:01 GMT

Well, here is the official word from Cisco TAC:

The only way to "disable" the default ssh username "pix" is to enable aaa authentication using either a radius or tacacs+ server. Then as long as the server is reachable and working the "pix" username will not work.

However, if the server is not available then you will be able to revert to the standy of "username pix" and the enable password (instead of the telnet password).

There is no way to completely disable the pix username account for SSH.