Windows LiveWindows Live
 
 
鑫's profile我在Node的日子PhotosBlogLists Tools Help

Blog
    12 August

    Using AAA to authenticate SSH connection

     
    1. Capture the management session :
      access-list SSH_AUTH extended permit tcp 192.168.168.0 255.255.255.0 interface INSIDE eq ssh
    2. Allow inside clients to initiate SSH session
      ssh 192.168.168.0 255.255.255.0 INSIDE
    3. Define AAA server to authenticate SSH traffic
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ host 192.168.168.21
      aaa authentication match SSH_AUTH INSIDE TACACS+
    SSH0: SSH client: IP = '192.168.168.79' interface # = 2
    SSH: host key initialised
    SSH0: starting SSH control process
    SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
    SSH0: send SSH message: outdata is NULL
    server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: 83 (83)
    SSH0: client version is - SSH-1.5-SecureCRT_5.0.0 (build 930) SecureCRT
    client version string:SSH-1.5-SecureCRT_5.0.0 (build 930) SecureCRTSSH0: begin server key generation
    SSH0: complete server key generation, elapsed time = 1640 ms
    SSH0: declare what cipher(s) we support:
    00 0x00 0x00 0x04 0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
    SSH0: SSH_SMSG_PUBLIC_KEY message sent
    SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
    SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
    SSH0: client requests DES cipher: 2
    SSH: scb created 0x25aadb0, size 104
    SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
    SSH0: keys exchanged and encryption on
    SSH0: receive SSH message: SSH_CMSG_USER (4)
    SSH0: authentication request for userid joey_ssh
    SSH(joey_ssh): user authen method is 'no AAA', aaa server group ID = 0
    SSH0: invalid userid joey_ssh
    SSH0: send SSH message: SSH_SMSG_FAILURE (15)
    SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
    SSH0: send SSH message: SSH_SMSG_FAILURE (15)
    SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
    SSH0: send SSH message: SSH_SMSG_FAILURE (15)
    SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
    SSH0: authentication failed for joey_ssh
    SSH0: send SSH message: SSH_MSG_DISCONNECT (1)
    SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"
     
    The above approach is incorrect , because any kinds of session, like telnet,ssh,http, points to PIX itself only could be authenticated by using
    aaa authentication ssh console TACACS+ . instead of access-list SSH_AUTH extended permit tcp 192.168.168.0 255.255.255.0 interface INSIDE eq ssh
     
    SSH0: SSH client: IP = '192.168.168.79' interface # = 2
    SSH: host key initialised
    SSH0: starting SSH control process
    SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
    SSH0: send SSH message: outdata is NULL
    server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: 83 (83)
    SSH0: client version is - SSH-1.5-SecureCRT_5.0.0 (build 930) SecureCRT
    client version string:SSH-1.5-SecureCRT_5.0.0 (build 930) SecureCRTSSH0: begin server key generation
    SSH0: complete server key generation, elapsed time = 1870 ms
    SSH0: declare what cipher(s) we support:
    00 0x00 0x00 0x04 0xSSH0: send SSH message: SSH_SMSG_PUBLIC_KEY (2)
    SSH0: SSH_SMSG_PUBLIC_KEY message sent
    SSH0: receive SSH message: SSH_CMSG_SESSION_KEY (3)
    SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 144
    SSH0: client requests DES cipher: 2
    SSH: scb created 0x25aab00, size 104
    SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
    SSH0: keys exchanged and encryption on
    SSH0: receive SSH message: SSH_CMSG_USER (4)
    SSH0: authentication request for userid joey_ssh
    SSH(joey_ssh): user authen method is 'use AAA', aaa server group ID = 3
    SSH0: send SSH message: SSH_SMSG_FAILURE (15)
    SSH0: receive SSH message: SSH_CMSG_AUTH_PASSWORD (9)
    Resetting 192.168.168.21's numtries
    SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
    SSH0: authentication successful for joey_ssh
    SSH0: receive SSH message: SSH_CMSG_MAX_PACKET_SIZE (38)
    SSH0: setting max outbound packet size 4096
    SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
    SSH0: receive SSH message: SSH_CMSG_REQUEST_PTY (10)
    SSH0: send SSH message: SSH_SMSG_SUCCESS (14)
    SSH0: receive SSH message: SSH_CMSG_EXEC_SHELL (12)
    SSH0: starting exec shell
    4:20 PM | Add a comment | Permalink | Blog it | Cisco

    外公

    现在(2007-8-12) 是半夜一点多了。我还在天上,飞机晚点3个多小时。回到大连都3点了,又没有人接我,郁闷! 窗外一片的漆黑,还以为可以看到星星。 这次回家是因为外公过世了,外公今年78了,算是高寿。 在我们那里,给老人办丧事,代表了很多东西。 我们这一大家人,都很团结地把这件事办得很风光。

    外公是广东人,17岁就参加了广东游击队(好像叫做 东江纵队, 外公是曾生的部下, 外公也姓曾), 后来参加的解放战争,在一次战役中不幸被国民党抓住,在监狱里被国民到折磨了一年半。后经共产党的大力营救才脱险。 解放后,外公继续在军队服役。在越南自卫反击战中,外公担任化学排排长。 其实外公的这些经历,我是在半丧事的时候,从外公的祭文中得知的。 很小的时候,我和哥哥就只知道外公是为军人。我和哥哥曾经一直坚信外公,在战场上肯定杀过敌人。还很肯定地认为在外公的衣柜中有一把在战场上缴获的小鬼子的军刀。这些是我和哥哥小的时候在外人面前吹嘘的资本。可惜,这些东西,我们一直没有和外公聊过。 我对外公的这一生一点都不了解,现在外公走了,这个遗憾再也没法弥补了。 外公在我的从小的记忆里,是一个很正直的人。前几天,全家人聚在一起聊起外公时,让我认识到了一个可爱的外公。外公在转业过后,相应国家的号召来到贫穷的贵州,建设这片他所陌生的土地。外公把他的后半生的一切都留在了这里。 外公做过鞋厂,布厂的厂长。最后是被调到了运管站,那时外公们所能管的交通工具就只有马车。还记得小时候,老是听到别人叫他曾所长。

    不过,外公在公事上是一个六亲不认的人。爸爸给我说,有一次,我老爸, 当时还没认识我老妈, 赶着马车进城,不知道是因为什么被外公给拦来下来狠狠地讯了一顿。 当时谁又会知道外公会成了我外公呢? 任何人去找我外公求情办事全都给拒之门外,没有例外,就连我姨姥姥他都不给面子的。

    外公没有享过多少福,他这一生都是那么的朴素。外公不太会做吃的,不过有几样他很拿手的:白切鸡,很大很大的红烧肉,客家豆腐。 小时候,外公总会把最大的鸡腿留给我和哥哥。后来,外公做不动了,我的弟弟,妹妹也就没有这份口福了。

    4:27 AM | Add a comment | Permalink | Blog it