Restrict SSH access on Cisco ASA
Did you know that by
Did you know that if you add a user into the local DB on an asa and have “aaa authentication ssh console LOCAL” command your users will have full access into the asa? Not only will they have VPN access they also have full config t access into the box. You maybe saying, they don’t because they don’t have the enable password. That’s not true because if you issue the “login” command and authenticate again you have full access. To fix this security issue you will need to make sure you are on version 8 of the asa code.
Issue this command
aaa authorization exec authentication-server
then go into the user (for the test I will use a user named test) attributes
username test attributes
now the user only has vpn access and no access into the ASA. This means he can no longer ssh into the box.