- August
Posted By : Gom Jabbar
How to Use an iPod to SSH into a Cisco ASA

A couple of months ago, I went on vacation to the far side of the world. I brought along no electronic devices except:

  • My Blackberry (work phone; powered off most of the time to avoid roaming charges), and
  • My Second Gen iPod Touch (mostly used to track my runs with Nike+).

This was the first time in 10 years that I had traveled without a laptop. I tell myself I need a laptop in case there is a work emergency and I need to remote into some damned device that is misbehaving. But data addiction is probably closer to the truth. I need a hit of pseudo omniscience every couple of hours, or I start to twitch.

During this trip, my separation anxiety from the Internet was acute, but the ubiquity of wireless networks allowed my iPod to serve up a bit of the old placebo effect. I was able to use Safari on my iPod to check in online for my flights and even pick my seats on the plane. I could check webmail. Use Nike+ when I went running. Check the news. Check the weather report. Wardrive. Portscan. You know, practical stuff.

Anyway, this got me thinking about what else I could do on my iPod. I’m usually surrounded by computers which run the utilities I need for my work. I only use my iPod when I run. So the iPod has a gigantic music library but very few apps. Form follows function.

SSH Client on an iPod

Tonight, I’m testing out a new app on my iPod: iSSH by Zingersoft. It does Telnet, VNC, RDP, and X Server. But my primary interest in it tonight is the SSH client. $9.99 from the App Store. Hours of enjoyment.

I hooked up the outside interface of my pet ASA to my wireless router. My iPod’s also hooked up to the same wireless network.

I configured the ASA to permit SSH connections from the outside interface.

My iPod Touch is running iOS 4.2.1. I purchased iSSH from the App Store and then synced iTunes with the iPod. Here is iSSH on the Home Screen of the iPod (top row, second icon from the left):

iPod Home Screen
iPod Home Screen

After launching iSSH, I set up SSH connection parameters to the outside interface of my Cisco ASA:

iSSH Configuration Screen 1
iSSH Configuration Screen 1

You can specify the connection parameters such as SSH, Telnet etc:

iSSH Configuration Screen 2
iSSH Configuration Screen 2

After initiating the SSH connection, the iPod receives the SSH server’s key fingerprint:

iSSH Key Fingerprint from SSH Server
iSSH Key Fingerprint from SSH Server

Once the fingerprint has been accepted by the SSH client, you present the username and password for the SSH connection. I am using the default SSH account on the ASA, which is “pix” with the password “cisco”:

iSSH Login to SSH Server
iSSH Login to SSH Server

A debug ssh command from a different console session to the Cisco ASA shows the SSH connection negotiation from the iPod:

ciscoasa# debug ssh
debug ssh  enabled at level 1
ciscoasa# Device ssh opened successfully.
SSH1: SSH client: IP = ''  interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25Device ssh opened successfully.
SSH0: SSH client: IP = ''  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Local:_Aug__4_2011_01:03:30

client version string:SSH-2.0-PuTTY_Local:_Aug__4_2011_01:03:30SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 690 ms

SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 271
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication successful for pix
SSH2 0: channel open request
SSH2 0: x11-req request
SSH2 0: auth-agent-req@openssh.com request
SSH2 0: pty-req request
SSH2 0: requested tty: xterm, height 24, width 53

SSH2 0: shell request
SSH2 0: shell message receivedSSH1: Session disconnected by SSH server - error 0x3c "Time-out activated"
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH1: receive unsuccessful - status 0x3c

And the iPod presents me with the ASA prompt:

And here’s the iPod displaying the output of a show version command:

iSSH with SSH Session to Cisco ASA
iSSH with SSH Session to Cisco ASA

Pretty stable connection over wireless. The small iPod screen is not optimal for reading lines of config, but it works in a pinch. I tested another SSH connection to a remote firewall and the added lag time was as expected. So, responsiveness is connection-dependent but quite usable.

The same device that is able to play Nine Inch Nails’ cover of Gary Numan’s Metal while simultaneously facilitating a secure management session to a firewall 3 timezones away. Novelty value!