12-03-2011 04:36 PM - edited 03-11-2019 02:59 PM
If I want to configure the following for SSH:
1 - Login timeout of 60 seconds
2 - ssh authentication retries to 3
3 - ssh idle timeout of 10 minutes
On a router, this is simple:
Login timeout:
ip ssh timeout 60
auth retries:
ip ssh authentication-retries 3
idle timeout:
line vty 0 4
session-timeout 10
exec-timeout 10 0
On an ASA, I'm only finding how to set the idle timeout, and finding the auth retries via the command reference, what about the login timeout of 1 minutes?
Login timeout:
???
auth retries:
I find this in the command reference documentation:
enable - 3 tries before access is denied
ssh - 3 tries before access is denied
idle timeout: (yay! can find this for telnet and console also)
ssh timeout 10
Note: I need a login timeout of 1 minute.
I was thinking of experimenting with MPF to configure this, but the description I saw of the timeouts in the MPF configuration examples was that 5 minutes was the minimum available, which wouldn't help me to have a 1 minute login timeout.
I'm specifically asking this question because I'm reviewing Firewalls versus STIG, but am not locating the settings or documentation for "login timeout" for SSH on the ASA.
Thanks for your help!
Solved! Go to Solution.
12-03-2011 08:56 PM
Hello Lewis,
You already know how setup the iddle timeout for a SSH session, so at this moment I am 85% sure that regarding the ASAs there is no such a command to configure the time-out for a ssh, telnet or console login.
Now regarding the time-out that you were going to use on the MPF, those time-outs are used to set a limit for a TCP connection on an embryonic (default 30 sec.) , half-closed (default 10 minutes) and againg after being on an iddle (default 1hour)state so they are not going to work for your request.
I hope this help you.
Please rate helpful posts.
Julio!!!
12-03-2011 08:56 PM
Hello Lewis,
You already know how setup the iddle timeout for a SSH session, so at this moment I am 85% sure that regarding the ASAs there is no such a command to configure the time-out for a ssh, telnet or console login.
Now regarding the time-out that you were going to use on the MPF, those time-outs are used to set a limit for a TCP connection on an embryonic (default 30 sec.) , half-closed (default 10 minutes) and againg after being on an iddle (default 1hour)state so they are not going to work for your request.
I hope this help you.
Please rate helpful posts.
Julio!!!
09-25-2012 07:28 AM
I know this is a very old thread but it came up first when I was searching something so I figure I might as well answer it to help people find the answer.
In global configuration the command is
ciscoasa(config)# ssh timeout (time in minutes)
11-01-2012 12:21 PM
The 'ssh timeout' command only sets the idle session timeout. The original poster wanted to know how to set the SSH login timeout to 60 seconds. That would disconnect an SSH session if the user failed to enter their password within one minute, and is not the same as an idle session timeout where a user's session who successfully logged in is disconnected due to inactivity.
Does anyone know if this is possible in the ASA? The 'set connection embryonic/half-closed/tcp' connection timeout statements would not work, as they only apply to incomplete 3-way handshakes. In the case of an SSH login timeout the TCP 3-way handshake completes successfully, but SSH authentication is not completed.
05-31-2013 07:58 AM
Yea, this isnt possible on the ASA's, at least on the version Im running. I have the same problem as it is a DOD STIG requirement to restrict the incomplete SSH session timeout to 60 seconds or less. You can do it on routers & switches, but not on the ASA's. I had even asked TAC probably about a year ago or so.
01-04-2016 08:53 AM
Please use this command
Switch(config)# ip ssh time-out 60
01-04-2016 10:49 AM
4197886775a,
"ip ssh time-out 60"
is the syntax for setting the SSH login timeout on a device running Cisco IOS.
(It should be noted that this question is about Cisco ASA, and the original post also confirms that the command can be found for IOS, but not the ASA.)
I just checked the command reference for Cisco ASA, and still cannot locate this feature (SSH login timeout on Cisco ASA).
Thanks for trying, though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide