cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
55683
Views
35
Helpful
6
Replies

SSH Login Timeout on Cisco ASA ... Where Is It?

lewislampkin
Level 1
Level 1

If I want to configure the following for SSH:

1 - Login timeout of 60 seconds

2 - ssh authentication retries to 3

3 - ssh idle timeout of 10 minutes

On a router, this is simple:

Login timeout: 

ip ssh timeout 60

auth retries:

ip ssh authentication-retries 3

idle timeout:

line vty 0 4

session-timeout 10

exec-timeout 10 0

On an ASA, I'm only finding how to set the idle timeout, and finding the auth retries via the command reference, what about the login timeout of 1 minutes?

Login timeout:

???

auth retries:

I find this in the command reference documentation:

enable - 3 tries before access is denied

ssh - 3 tries before access is denied

idle timeout: (yay! can find this for telnet and console also)

ssh timeout 10

Note:  I need a login timeout of 1 minute.

I was thinking of experimenting with MPF to configure this, but the description I saw of the timeouts in the MPF configuration examples was that 5 minutes was the minimum available, which wouldn't help me to have a 1 minute login timeout.

I'm specifically asking this question because I'm reviewing Firewalls versus STIG, but am not locating the settings or documentation for "login timeout"  for SSH on the ASA.

Thanks for your help!

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Lewis,

You already know how setup the iddle timeout for a SSH session, so at this moment I am 85% sure that  regarding the ASAs there is no such a command to configure the time-out for a ssh, telnet or console login.

Now regarding the time-out that you were going to use on the MPF, those time-outs are used to set a limit for a TCP connection on an embryonic (default 30 sec.) , half-closed (default 10 minutes) and againg after being  on an iddle (default 1hour)state  so they are not going to work for your request.

I hope this help you.

Please rate helpful posts.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Lewis,

You already know how setup the iddle timeout for a SSH session, so at this moment I am 85% sure that  regarding the ASAs there is no such a command to configure the time-out for a ssh, telnet or console login.

Now regarding the time-out that you were going to use on the MPF, those time-outs are used to set a limit for a TCP connection on an embryonic (default 30 sec.) , half-closed (default 10 minutes) and againg after being  on an iddle (default 1hour)state  so they are not going to work for your request.

I hope this help you.

Please rate helpful posts.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jamesdborden
Level 1
Level 1

I know this is a very old thread but it came up first when I was searching something so I figure I might as well answer it to help people find the answer.

In global configuration the command is

ciscoasa(config)# ssh timeout (time in minutes)

The 'ssh timeout' command only sets the idle session timeout. The original poster wanted to know how to set the SSH login timeout to 60 seconds. That would disconnect an SSH session if the user failed to enter their password within one minute, and is not the same as an idle session timeout where a user's session who successfully logged in is disconnected due to inactivity.

Does anyone know if this is possible in the ASA? The 'set connection embryonic/half-closed/tcp' connection timeout statements would not work, as they only apply to incomplete 3-way handshakes. In the case of an SSH login timeout the TCP 3-way handshake completes successfully, but SSH authentication is not completed.

Yea, this isnt possible on the ASA's, at least on the version Im running.  I have the same problem as it is a DOD STIG requirement to restrict the incomplete SSH session timeout to 60 seconds or less.  You can do it on routers & switches, but not on the ASA's.  I had even asked TAC probably about a year ago or so.

4197886775a
Level 1
Level 1

Please use this command

Switch(config)# ip ssh time-out 60

4197886775a,

"ip ssh time-out 60"

is the syntax for setting the SSH login timeout on a device running Cisco IOS.

(It should be noted that this question is about Cisco ASA, and the original post also confirms that the command can be found for IOS, but not the ASA.)

I just checked the command reference for Cisco ASA, and still cannot locate this feature (SSH login timeout on Cisco ASA).

Thanks for trying, though.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: