38-28
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter38 Configuring AAA Servers and the Local Database
Configuring AAA
Step7 (Optional) Check the Authentication Enable check box to prevent users from modifying their own user
account. If authentication is enabled, users cannot change their own password or delete their own
account with the username command or with the clear configure username command.
Step8 To reset the password policy to the default ASA policy value, click Reset to Default.
Step9 Click Apply to save the configuration settings.
Changing User Passwords
The ASA enables administrators with the necessary privileges to modify passwords for users in the
current context. Users must authenticate with their current passwords before they are allowed to change
passwords. However, authentication is not required when an administrator is changing a user password.
To enable users to change their own account passwords, peform the following steps:
Step1 In the ASDM main application window, choose Configuration > Device Management > Users/AAA >
Change Password.
Step2 Enter your old password.
Step3 Enter your new password.
Step4 Confirm your new password.
Step5 Click Make Change.
Step6 Click the Save icon to save your changes to the running configuration.
Authenticating Users with a Public Key for SSH
Users can authenticate with a public key for SSH. The public key can be hashed or not hashed.
To authenticate with a public key for SSH, perform the following steps:
Step1 In the ASDM main application window, choose Configuration > Device Management > Users/AAA >
User Accounts.
Step2 Select a user from the list, then click Edit.
The Edit User Account dialog box appears.
Step3 Click Public Key Authentication in the navigation pane.
Step4 If you want to hash the public key, check the Key is hashed check box. To not have the public key
hashed, leave this check box unchecked.
If the public key is hashed, the value of the public key must have been previously hashed with SHA-256
and be 32 bytes long, with each byte separated by a colon (for parsing purposes).
If the public key is not hashed, the value of the key must be a Base 64 encoded public key that is
generated by SSH key generation software that can generate SSH-RSA raw keys (that is, with no
certificates). After you submit the Base 64 encoded public key, that key is then hashed via SHA-256 and
the corresponding 32-byte hash is used for all further comparisons.