03-07-2007 06:58 AM - edited 02-21-2020 10:17 AM
I'm looking to set up passwordless SSH authentication so a Solaris client can run a script to log on to a PIX and retrieve the configuration.
Has anyone succesfully achieved passwordless SSH authentication on a PIX or know whether the device supports it or not?
Many Thanks, Dom
Solved! Go to Solution.
03-07-2007 07:21 AM
that is vaguely correct.
here are the details :
Security506E-6.x(config)# sh aaa
aaa proxy-limit 16
aaa authentication ssh console SecurityACS1111 LOCAL
aaa authentication http console SecurityACS1111 LOCAL
aaa authentication telnet console SecurityACS1111 LOCAL
aaa authentication enable console SecurityACS1111 LOCAL
aaa authorization command LOCAL
now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.
if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.
if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.
dafault settings :
username : pix
telnet password: whatever password you have set using the command :
password
enable password :
whatever password you have set using :
enable password
please rate if this helps!!
Sushil
cisco tac.
03-07-2007 07:07 AM
hi d,
i am not sure but i think it's not possible.
when you do "ssh " to the firewall,you need to provide the telnet password first and then at the enable prompt,the enable password.
now,you can set the enable password to be blank by putting the command :
pix(config)#enable password
but as far as telnet password is concerned,by default it's " cisco " and there's no way that we could remove this.
there should be a telnet password in the firewall.
so,if the script gives you the option to setup a password,you could retrieve the configuration.
please rate if this helps!!
Sushil
Cisco TAC.
03-07-2007 07:14 AM
Thanks for that Sushil.
So the telnet password is the same one that is used for SSH authentication?
03-07-2007 07:21 AM
that is vaguely correct.
here are the details :
Security506E-6.x(config)# sh aaa
aaa proxy-limit 16
aaa authentication ssh console SecurityACS1111 LOCAL
aaa authentication http console SecurityACS1111 LOCAL
aaa authentication telnet console SecurityACS1111 LOCAL
aaa authentication enable console SecurityACS1111 LOCAL
aaa authorization command LOCAL
now,if you have configured aaa on the pix and specified a aaa server for the authentication purpose when ssh is done ""aaa authentication ssh console SecurityACS1111 LOCAL ".....then the username and passwords from the aaa server database need to be provided when ssh is done.
if you have specified LOCAL as the authentication method,then the username and password database configured in the firewall's configuration will be used for the authentication purpose.
if you have n't spoecified " ssh " under " sh aaa " command output ,then the default settings are used.
dafault settings :
username : pix
telnet password: whatever password you have set using the command :
password
enable password :
whatever password you have set using :
enable password
please rate if this helps!!
Sushil
cisco tac.
03-07-2007 07:47 AM
Thanks for that Sushil =]
03-07-2007 08:02 AM
no problem D.
Pleasure is all mine
Have a good day.
05-15-2020 06:13 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: