The Cisco ASA supports both SSH version 1 and SSH version 2. By default, both versions are enabled on the ASA, as seen with a show ssh command:
ciscoasa(config)# sh ssh Timeout: 5 minutes Versions allowed: 1 and 2 ciscoasa(config)#
To view the SSH messages sent between the SSH client and the ASA (which is acting as the SSH server), use the debug ssh command:
ciscoasa(config)# debug ssh debug ssh enabled at level 1
SSH-1 Session Establishment:
The SSH client and the SSH server (the Cisco ASA) start off their SSH communications by establishing a secure connection. This includes the client and server agreeing on an encryption algorithm, and then generating a secret session key. The steps involved in SSH-1 connection establishment:
- The SSH-1 client sends a connection request to the SSH server (on TCP port 22 by default).
- The client and server tell each other which versions of SSH they support (in the form of ASCII strings).
- The server identifies itself and sends the client some session parameters. The server tells the client:
- Its host key, which the client needs to accept (and thereby verify the server’s identity) in order for the communications to continue. If the client already has the server in its known hosts database, the client will not be prompted to verify the host key.
- Its server key, which is a temporary, asymmetric key used to establish the secure connection. It provides Perfect Forward Secrecy for the SSH-1 session. Perfect Forward Secrecy means there are no persistent keys whose disclosure can jeopardize the secrecy of past or future SSH sessions.
- Check bytes, which are an 8-byte-long random sequence. This protects against IP spoofing attacks because the client must include these check bytes in its next response to the server.
- A list of the encryption, compression, and authentication methods that the server supports.
- The client generates a session key for bulk cipher. This is a randomly generated, symmetric key for encrypting and decrypting the messages sent between the SSH client and server during this session.
- The client encrypts the session key twice: once with the server’s host key, and once with the server key. This ensures that only the server can decrypt it.
- The client sends the twice-encrypted session key to the server.
- The client and the server begin encrypted communications using the session key and the selected bulk cipher.
- The server sends the client a confirmation message that is encrypted with the session key, proving that it is the correct server, because it is the only one who could have decrypted the session key sent by the client in Step 6.
- The secure connection is established.
- Now it’s the client’s turn to authenticate (e.g. the SSH password or AAA user credentials that has been configured on the ASA).
On my pet ASA, I enabled SSH connections from 126.96.36.199 on the outside interface. I also told my ASA to use only SSH-1 by using the ssh version 1 command. I set up SSH to use AAA for user authentication by using the aaa authentication console command.. The following is the console output when a SSH-1 client connects from the IP address 188.8.131.52.
ciscoasa(config)# Device ssh opened successfully. SSH0: SSH client: IP = '184.108.40.206' interface # = 2 SSH: host key initialised SSH0: starting SSH control process SSH0: Exchanging versions - SSH-1.5-Cisco-1.25 SSH0: send SSH message: outdata is NULL server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: 83 (83) SSH0: client version is - SSH-1.5-PuTTY_Release_0.60 client version string:SSH-1.5-PuTTY_Release_0.60SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 1240 ms SSH0: declare what cipher(s) we support: 00 0x00 0x00 0x0c 0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2) SSH0: SSH_SMSG_PUBLIC_KEY message sent SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3) SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144 SSH0: client requests 3DES cipher: 3 SSH: scb created 0x6a75f79, size 4 SSH0: send SSH message: SSH_SMSG_SUCCESS (14) SSH0: keys exchanged and encryption on SSH: Installing crc compensation attack detector. SSH0: receive SSH message: SSH_CMSG_USER (4) SSH0: authentication request for userid duncan SSH(duncan): user authen method is 'use AAA', aaa server group ID = 1 SSH0: send SSH message: SSH_SMSG_FAILURE (15) SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9) SSH0: send SSH message: SSH_SMSG_SUCCESS (14) SSH0: authentication successful for duncan SSH0: receive SSH message: SSH_CMSG_REQUEST_PTY (10) SSH0: send SSH message: SSH_SMSG_SUCCESS (14) SSH0: receive SSH message: SSH_CMSG_EXEC_SHELL (12) SSH0: starting exec shell SSH0: send SSH message: SSH_SMSG_EXITSTATUS (20) SSH0: receive SSH message: SSH_CMSG_EXIT_CONFIRMATION (33) SSH0: Session terminated normally
You can see the ASA sending the host key, and then the client and the ASA figuring out which SSH version to use, the server key being generated, the session key being sent by the client, the SSH client authenticating as user “duncan”, and finally, the SSH session being terminated.