How-To: Handle "Accept and Acknowledge" Logins to PaloAlto Firewalls (or similar)

[jdev]

Is this you?

• "My PaloAlto firewall has the 'Accept and Acknowledge' statement enabled..."
• "My firewall requires admin to acknowledge a warning..."

Question:
How do you configure SecureCRT to handle such an "accept and acknowledge" interaction?

Answer:
Use the Keyboard-Interactive authentication method.

When a device requires that a user connecting via SSH "accept and acknowledge" something with a y/n or yes/no reply, such interaction typically requires the "Keyboard-Interactive" authentication method.

Here's how you configure SecureCRT to utilize the Keyboard-Interactive authentication method even if a remote host still offers support for other authentication methods (like password, publickey, etc.):

1. Make sure you're disconnected
2. Open Session Options (Options > Session Options)
3. Browse to the SSH2 category
4. Make sure the Keyboard-Interactive authentication method is enabled
5. Move the Keyboard-Interactive method to the top of the list
6. Press the [OK] button to save your changes

If you need to make this change of auth-order preference to more than one session:

• Consider using the Default session to make the change and apply that change to all of your existing sessions when prompted.
  Or...
  
• If you only want to make changes to a list of sessions contained within a folder in SecureCRT's Session Manager, right-click that folder and choose Properties and you'll be able to edit the properties of all saved sessions in that specific folder at once (the options for the first session in that sub-folder will be displayed).
  Or...
  
• If you only want to make the changes to two or three sessions, use Ctrl+click to select those sessions in SecureCRT's Session Manager, right-click them and choose Properties.

Additional Tip:
If you desire to automate the response, consider this approach:

• In Session Options' Logon Actions category, enable the Display logon prompts in terminal window option
• Enable the Automate logon option
• Disable the Send initial carriage return option
• Delete the default "Login:" and "Password:" Expect/Send entries listed initially, and replace them with your own "Expect" text (what are the last few words/chars of the prompt you see from the remote system?) and "Send" text (what would you normally type in as a reply in order to move forward?)

--Jake