04-25-2005 05:24 AM - edited 02-21-2020 12:06 AM
Can anyone tell me how to go about removing or disabling the default "pix" account that is hidden and on the PIX device?
04-25-2005 11:22 AM
not sure on this, but you can turn on AAA and use ACS or other AAA server or local user database
04-25-2005 11:43 PM
To add to what Nadeem said, when you use AAA authentication, whether with local or remote auth protocol (RAIDIUS/TACACS+) as your authentication for ssh authentication, it overwrites the default 'pix'/enable password authentication.
In other words, with
aaa authentication console ssh LOCAL
or
aaa authentication console ssh
You would be still be prompted for username/password but you will enter your the username on local PIX or RADIUS/TACACS+ database and password to login via SSH.
Hope that helps.
Thanks,
Binh
04-26-2005 03:57 AM
Well, I have enabled SSH on the outside interface, but if someone were to know our passwords, they would still be able to login with the ID of pix, with whatever we were to set our password to. The thing is, I would like to set that id to a priv. level that enables it to do nothing, basically, but since the ID is hidden, I can't do that either, unless I use AAA, which I don't want to on our Security equipment, as too many people have admin access to the ACS, and have the ability to alter the NAR's if they want. I am going to see about opening a TAC case on this. I appreciate your "fix", as I know it will work for this, but it is just something that I am not wanting to use in this particular case! I'll post if I hear any other information from TAC.
04-26-2005 05:49 AM
No way to get rid of the "pix" default account.
04-26-2005 05:49 AM
No way to get rid of the "pix" default account (unless Cisco has come up with something on 7.x OS version).
04-26-2005 08:42 AM
Kind of what I was thinking, especially since it isn't documented anywhere. I opened a TAC case, so I will post what they state.
Thanks,
Matt
04-26-2005 09:39 AM
They will give you the same answer. But if any different, please let us know.
(I used to work at Cisco TAC - PIX Firewalls & VPN)
04-26-2005 12:23 PM
Well, here is the official word from Cisco TAC:
The only way to "disable" the default ssh username "pix" is to enable aaa authentication using either a radius or tacacs+ server. Then as long as the server is reachable and working the "pix" username will not work.
However, if the server is not available then you will be able to revert to the standy of "username pix" and the enable password (instead of the telnet password).
There is no way to completely disable the pix username account for SSH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide