Linux下无法ssh Cisco PIX防火墙的解决方法


出现问题现象:

skywalker@skywalker-Ubuntu:/usr$ ssh username@Firewall’s IP
No valid ciphers for protocol version 2 given, using defaults.
ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits
key_verify failed for server_host_key

临时解决方法

用ssh -v -1 -c des参数连接

skywalker@skywalker-ubuntu:/usr$ ssh -v -1 -c des username@Firewall’s IP
OpenSSH_4.6p1 Debian-5ubuntu0.1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 211.100.62.34 [211.100.62.34] port 22.
debug1: Connection established.
debug1: identity file /home/skywalker/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Local version string SSH-1.5-OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (512 bits).
debug1: Host ‘211.100.62.34′ is known and matches the RSA1 host key.
debug1: Found key in /home/skywalker/.ssh/known_hosts:6
debug1: Encryption type: des
debug1: Sent encrypted session key.
Warning: use of DES is strongly discouraged due to cryptographic weaknesses
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
pix@211.100.62.34’s password:

永久解决方法

如果你不想每次都带着一大串参数SSH,就需要重新生成一个合适的key,步骤如下:

登录到PIX,可以用上面的方法ssh

>enable
configure terminal
crypto key zeroize rsa 清除现存RSA KEY
crypto key generate rsa modulus 1024 noconfirm 生成新的RSA KEY

如果你在刚才使用上面的方式SSH登录,那么现在你的机器中储存的KEY将与PIX不符,SSH将会提示这样的错误:

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx.xx.xx.xx
Please contact your system administrator.
Add correct host key in /home/skywalker/.ssh/known_hosts to get rid of this message.
Offending key in /home/skywalker/.ssh/known_hosts:5
RSA host key for Firewall’s IP has changed and you have requested strict checking.
Host key verification failed.

你必须首先在/.ssh/known_hosts中清除对应PIX的失效KEY ,如果不知道哪个KEY是PIX的,将known_hosts全部清除也没有关系,只是在第一次登录其他机器的时候,需要确认一次(yes/no)。

清除掉失效KEY后,ssh就可以正常登录PIX了。

相关内容