31
- July
2011
Posted By : Gom Jabbar
Cisco ASA Device Management – SSH Version 1

The Cisco ASA supports both SSH version 1 and SSH version 2. By default, both versions are enabled on the ASA, as seen with a show ssh command:

ciscoasa(config)# sh ssh
Timeout: 5 minutes
Versions allowed: 1 and 2
ciscoasa(config)#

To view the SSH messages sent between the SSH client and the ASA (which is acting as the SSH server), use the debug ssh command:

ciscoasa(config)# debug ssh
debug ssh  enabled at level 1

SSH-1 Session Establishment:

The SSH client and the SSH server (the Cisco ASA) start off their SSH communications by establishing a secure connection. This includes the client and server agreeing on an encryption algorithm, and then generating a secret session key. The steps involved in SSH-1 connection establishment:

  1. The SSH-1 client sends a connection request to the SSH server (on TCP port 22 by default).
  2. The client and server tell each other which versions of SSH they support (in the form of ASCII strings).
  3. The server identifies itself and sends the client some session parameters. The server tells the client:
    • Its host key, which the client needs to accept (and thereby verify the server’s identity) in order for the communications to continue. If the client already has the server in its known hosts database, the client will not be prompted to verify the host key.
    • Its server key, which is a temporary, asymmetric key used to establish the secure connection. It provides Perfect Forward Secrecy for the SSH-1 session. Perfect Forward Secrecy means there are no persistent keys whose disclosure can jeopardize the secrecy of past or future SSH sessions.
    • Check bytes, which are an 8-byte-long random sequence. This protects against IP spoofing attacks because the client must include these check bytes in its next response to the server.
    • A list of the encryption, compression, and authentication methods that the server supports.
  4. The client generates a session key for bulk cipher. This is a randomly generated, symmetric key for encrypting and decrypting the messages sent between the SSH client and server during this session.
  5. The client encrypts the session key twice: once with the server’s host key, and once with the server key. This ensures that only the server can decrypt it.
  6. The client sends the twice-encrypted session key to the server.
  7. The client and the server begin encrypted communications using the session key and the selected bulk cipher.
  8. The server sends the client a confirmation message that is encrypted with the session key, proving that it is the correct server, because it is the only one who could have decrypted the session key sent by the client in Step 6.
  9. The secure connection is established.
  10. Now it’s the client’s turn to authenticate (e.g. the SSH password or AAA user credentials that has been configured on the ASA).

Debugging SSH:

On my pet ASA, I enabled SSH connections from 11.11.11.2 on the outside interface. I also told my ASA to use only SSH-1 by using the ssh version 1 command. I set up SSH to use AAA for user authentication by using the aaa authentication console command.. The following is the console output when a SSH-1 client connects from the IP address 11.11.11.2.

ciscoasa(config)# Device ssh opened successfully.
SSH0: SSH client: IP = '11.11.11.2'  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-1.5-PuTTY_Release_0.60

client version string:SSH-1.5-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 1240 ms
SSH0: declare what cipher(s) we support:
00  0x00  0x00  0x0c  0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
SSH0: client requests 3DES cipher: 3
SSH: scb created 0x6a75f79, size 4
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: keys exchanged and encryption on
SSH: Installing crc compensation attack detector.
SSH0: receive SSH message: SSH_CMSG_USER (4)
SSH0: authentication request for userid duncan
SSH(duncan): user authen method is 'use AAA', aaa server group ID = 1
SSH0: send SSH message: SSH_SMSG_FAILURE (15)
SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: authentication successful for duncan
SSH0: receive SSH message: SSH_CMSG_REQUEST_PTY (10)
SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
SSH0: receive SSH message: SSH_CMSG_EXEC_SHELL (12)
SSH0: starting exec shell
SSH0: send SSH message: SSH_SMSG_EXITSTATUS (20)
SSH0: receive SSH message: SSH_CMSG_EXIT_CONFIRMATION (33)

SSH0: Session terminated normally

You can see the ASA sending the host key, and then the client and the ASA figuring out which SSH version to use, the server key being generated, the session key being sent by the client, the SSH client authenticating as user “duncan”, and finally, the SSH session being terminated.

Additional Information:

Debug ssh command in the Cisco ASA 8.4 Command Reference.

Ssh command in the Cisco ASA 8.4 Command Reference.

Show ssh command in the Cisco ASA 8.4 Command Reference.

Show run command in the Cisco ASA 8.4 Command Reference.

Aaa authentication console command in the Cisco ASA 8.4 Command Reference.

Username command in the Cisco ASA 8.4 Command Reference.