Pix failover SSH key

dawsonpa · ‎12-06-2002

Hello,

Is there a workaround with regards to being unable to SSH to the secondary pix firewall once having failed over?

Thanks,

Paul

--

dro · ‎12-06-2002

Hi Paul,

Actually, I've wondered about this myself. On the PIX side of things, I don't think theres much that you can do. I'm not aware of a way to copy over the generated RSA keys from the Primary to the Secondary, or vice versa.

It all depends on your SSH client, I suppose. If you SSH to the PIX via a UN*X environment, you could remove the cached server key saved in your known_hosts file. Normally this is located under ~/.ssh/known_hosts.

If you use a Windows SSH client (or some other OS), you'll have to consult your clients documentation.

Normally there's an option you can give when starting up the SSH client to not strictly enforce host key checking, but by doing so it opens up a whole new can of worms..

Regards,

-Joshua

dawsonpa · ‎12-06-2002

"If you use a Windows SSH client ... " never!!! :-)

I can remove the ~/.ssh/known_hosts.

So let me see if I have this correct...

When I do a 'ca generate rsa key 1024' the failover pix will do this as well; generating its own key due to the fact that, when I pushed enter, the command was also sent over the failover cable to the secondary PIX unit?

and

When I do a 'ca save all' the secondary PIX will do the same but save the key that IT generated.

So I should still be able to log into the seconday pix once failed over, having to remove or edit the known_hosts file

dro · ‎12-06-2002

Correct. I have to do the same process with mine.. It's a bit of a pain, but hopefully your PIX's don't fail often enough that your always editing the known_hosts file ;-)