31
- July
2011
Posted By : Gom Jabbar
Cisco ASA Device Management – SSH Version 2

By default, the Cisco ASA will allow clients to connect using SSH-1 or SSH-2. You can configure the ASA to accept only clients that use SSH-2. Just use the ssh ver 2 command:

ciscoasa(config)# ssh ver 2
ciscoasa(config)# sh ssh
Timeout: 5 minutes
Version allowed: 2
11.11.11.2 255.255.255.255 outside

Below is the console output when a SSH-2 client connects to the ASA. (You need to enable SSH debugging via the debug ssh command.)

You can see the steps involved in establishing a SSH-2 connection. The client connects from 11.11.11.2, the server (the ASA) sends the host key, the client and server negotiate which SSH version to use, and also what encryption to use. Once the connection is established, you can see the client authenticate using the default SSH username “pix”. At the end, you can see the session terminate normally.

ciscoasa(config)# Device ssh opened successfully.
SSH0: SSH client: IP = '11.11.11.2'  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Release_0.60

client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 1000 ms

SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication successful for pix
SSH2 0: channel open request
SSH2 0: pty-req request
SSH2 0: requested tty: xterm, height 24, width 80

SSH2 0: shell request
SSH2 0: shell message received
SSH0: Session terminated normally

Additional Information:

Debug ssh command in the Cisco ASA 8.4 Command Reference.

Ssh command in the Cisco ASA 8.4 Command Reference.

Show ssh command in the Cisco ASA 8.4 Command Reference.