Disable SSH pix username and cisco password

lon21lon21 Member Posts: 201
Guys,

When setting up SSH on a ASA you have to enter a username and password, but once you set up your own username and passwords the ASA still accepts the usernamd pix and password cisco which allows you into the CLI.

I've tired no username pix but it says that the user pix does not exist, but still allows me through SSH?

Any suggestion please?

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Can you show us the output of sh run | include username?
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • lon21lon21 Member Posts: 201
    Cryptochecksum: 407633e1 8e6399be c7d2e49d e76f4aaf: Saved
    : Written by enable_15 at 16:37:52.149 UTC Sun Sep 18 2011
    !
    ASA Version 8.2(1)
    !
    hostname New-York-ASA
    domain-name TEST-LAB
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 70.0.0.2 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name TEST-LAB
    access-list ICMP_Outside extended permit icmp any any
    access-list acl-l2l-lon extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 192.168.1.0 255.255.255.0
    access-group ICMP_Outside in interface outside
    route outside 0.0.0.0 0.0.0.0 70.0.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map l2lsites 10 match address acl-l2l-lon
    crypto map l2lsites 10 set peer 20.0.0.2
    crypto map l2lsites 10 set transform-set esp-3des-md5
    crypto map l2lsites interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    dhcpd dns 8.8.8.8
    dhcpd option 3 ip 192.168.1.1
    !
    dhcpd address 192.168.1.5-192.168.1.132 inside
    dhcpd enable inside
    !


    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username Test password rfnvCarobquAQkOS encrypted
    tunnel-group 20.0.0.2 type ipsec-l2l
    tunnel-group 20.0.0.2 ipsec-attributes
    pre-shared-key test
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:407633e18e6399bec7d2e49de76f4aaf
    : end


    The username Test works perfectly fine, but also the default cisco username and password also work.

    I want to be able to disable the default username and password.

    Thanks
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    What happens if you change the password on the invisible "pix" and "test" accounts? Are you still able to SSH in with the original passwords? I'm running a newer version of the ASA code, but I'm not able to access it using any account other than what I've defined in my config.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • lon21lon21 Member Posts: 201
    docrice wrote: »
    What happens if you change the password on the invisible "pix" and "test" accounts? Are you still able to SSH in with the original passwords? I'm running a newer version of the ASA code, but I'm not able to access it using any account other than what I've defined in my config.

    Still able to access it via the default login, i guess the enable secret would stop unwanted access.
  • WillTech105WillTech105 Member Posts: 216
    Try logging into the ASDM of the device and see if you can view that user account. If not, see if you can create the username cisco and change its password and see if it users the orignial password or the new one.
    In Progress: CCNP ROUTE
  • johnwest43johnwest43 Member Posts: 294
    Give this a try

    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authorization command LOCAL

    username USERNAME password PASSWORD privledge 15
    CCNP: ROUTE B][COLOR=#ff0000]x[/COLOR][/B , SWITCH B][COLOR=#ff0000]x[/COLOR][/B, TSHOOT [X ] Completed on 2/18/2014
  • lon21lon21 Member Posts: 201
    johnwest43 wrote: »
    Give this a try

    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authorization command LOCAL

    username USERNAME password PASSWORD privledge 15

    What do these commands do?
  • WillTech105WillTech105 Member Posts: 216
    lon21 wrote: »
    What do these commands do?

    Telling the device to use AAA and look LOCAL (its own database) for a user -- in this case: USERNAME
    In Progress: CCNP ROUTE
  • lon21lon21 Member Posts: 201
    Telling the device to use AAA and look LOCAL (its own database) for a user -- in this case: USERNAME

    Sorry to be a pain, but what does 'aaa' mean?
  • aquillaaquilla Member Posts: 148 ■■■□□□□□□□
    lon21 wrote: »
    Sorry to be a pain, but what does 'aaa' mean?

    AAA = Authentication, Authorization and Accounting

    https://learningnetwork.cisco.com/docs/DOC-7905 - Introduction to AAA Implementation
    Regards,

    CCNA R&S; CCNP R&S
  • shednikshednik Member Posts: 2,005
    johnwest43 wrote: »
    Give this a try

    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authorization command LOCAL

    username USERNAME password PASSWORD privledge 15

    This will fix your issue, as of right now the PIX/ASA will accept authentication from the built in account and the local accounts until you specify the AAA group as show above.
Sign In or Register to comment.