
4-31
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
78-16527-01
Chapter 4 Initial Configuration Tasks
Configuring SSH
•
Manipulation of data by those in control of intermediate hosts.
•
Attacks based on listening to X authentication data and spoofed connection to the X11 server.
SSH never sends passwords in clear text.
Adding Hosts to the Known Hosts List
You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it can
communicate with through SSH. These hosts are SSH servers that the sensor needs to connect to for
upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches
that the sensor will connect to for blocking.
Use the
ssh host-key
ip-address
[
key-modulus-length public-exponent public-modulus
] command to add
an entry to the known hosts list. If you do not know the values for the modulus, exponent, and length,
the system displays the MD5 fingerprint and bubble babble for the requested IP address. You can then
select to add the key to the list.
Caution
When you use the
ssh host-key
ip-address
command, the SSH server at the specified IP address is
contacted to obtain the required key over the network. The specified host must by accessible at the
moment the command is issued. If the host is unreachable, you must use the full form of the command,
ssh host-key
ip-address
[
key-modulus-length public-exponent public-modulus
], to confirm the
fingerprint of the key displayed to protect yourself from accepting an attacker’s key.
Note
To modify a key for an IP address, the entry must be removed and recreated. Use the
no
form of the
command to remove the entry.
To add a host to the SSH known hosts list, follow these steps:
Step 1
Log in to the CLI using an account with administrator or operator privileges.
Step 2
Enter configuration mode:
sensor#
configure terminal
Step 3
Add an entry to the known hosts list:
sensor(config)#
ssh host-key 10.16.0.0
MD5 fingerprint is F3:10:3E:BA:1E:AB:88:F8:F5:56:D3:A6:63:42:1C:11
Bubble Babble is xucis-hehon-kizog-nedeg-zunom-kolyn-syzec-zasyk-symuf-rykum-sexyx
Would you like to add this to the known hosts table for this host?[yes]
The MD5 fingerprint appears. You are prompted to add it to the known hosts list:
If the host is not accessible when the command is issued, the following message appears:
Error: getHostSshKey : socket connect failed [4,111]
Step 4
Type
yes
to have the fingerprint added to the known hosts list.
Step 5
Verify that the host was added:
sensor(config)#
exit
sensor#
show ssh host-keys
10.89.146.110