topic Pix failover SSH key in Network Security

Pix failover SSH key

dawsonpa — Fri, 21 Feb 2020 06:25:06 GMT

Hello,

Is there a workaround with regards to being unable to SSH to the secondary pix firewall once having failed over?

Thanks,

Paul

Re: Pix failover SSH key

dro — Fri, 06 Dec 2002 19:47:35 GMT

Hi Paul,

Actually, I've wondered about this myself. On the PIX side of things, I don't think theres much that you can do. I'm not aware of a way to copy over the generated RSA keys from the Primary to the Secondary, or vice versa.

It all depends on your SSH client, I suppose. If you SSH to the PIX via a UN*X environment, you could remove the cached server key saved in your known_hosts file. Normally this is located under ~/.ssh/known_hosts.

If you use a Windows SSH client (or some other OS), you'll have to consult your clients documentation.

Normally there's an option you can give when starting up the SSH client to not strictly enforce host key checking, but by doing so it opens up a whole new can of worms..

Regards,

-Joshua

Re: Pix failover SSH key

dawsonpa — Fri, 06 Dec 2002 20:33:23 GMT

"If you use a Windows SSH client ... " never!!! 🙂

I can remove the ~/.ssh/known_hosts.

So let me see if I have this correct...

When I do a 'ca generate rsa key 1024' the failover pix will do this as well; generating its own key due to the fact that, when I pushed enter, the command was also sent over the failover cable to the secondary PIX unit?

and

When I do a 'ca save all' the secondary PIX will do the same but save the key that IT generated.

So I should still be able to log into the seconday pix once failed over, having to remove or edit the known_hosts file

Re: Pix failover SSH key

dro — Fri, 06 Dec 2002 20:36:54 GMT

Correct. I have to do the same process with mine.. It's a bit of a pain, but hopefully your PIX's don't fail often enough that your always editing the known_hosts file 😉