Ssh Access Control
Test suite for validating SSH access control options
SSH User Deny
Description
Check that enforcing a user denial will work as expected. A user is set to be denied through SSH connection, then a connection through this user is tried expecting failure to connect. A user that hasn’t been denied is also tested to confirm unchanged behavior in this case.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control deny user test_user set system login user test_user authentication plaintext-password 1234
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh
Step 3: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. test_user@10.215.168.20's password:
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. admin@10.215.168.20's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Nov 23 23:11:32 2023 from 10.215.168.21 admin@osdx$
SSH User Allow
Description
Check that allowing a user will only let that user connect to the device. A user is set to be allowed through SSH connection, then a connection through this user is tried expecting to connect successfully. An unallowed user is also tested to confirm unchanged behavior for this case.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control allow user admin set system login user test_user authentication plaintext-password 1234
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh
Step 3: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. test_user@10.215.168.20's password:
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. admin@10.215.168.20's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Nov 23 23:12:22 2023 from 10.215.168.21 admin@osdx$
SSH Role Deny
Description
Check that enforcing a role denial will work as expected. A user and a role are created and then the role is assigned to the user. The role is then denied and an SSH connection is tried with this user, expecting a failure. The admin user is also tried to ensure that users that haven’t been denied can still access the router.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control deny role test_role set system login role test_role level 14 set system login user test_user role test_role set system login user test_user authentication plaintext-password 1234
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh
Step 3: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. test_user@10.215.168.20's password:
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. admin@10.215.168.20's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Nov 23 23:12:49 2023 from 10.215.168.21 admin@osdx$
SSH Role Allow
Description
Check that enforcing a role permission will work as expected. Two users and two roles are created. The roles are assigned to each of the users. One role is then allowed and an SSH connection is tried with the user assigned that role, expecting to succeed. The other user is also tried expecting to fail. The unallowed user is tried to ensure the deny by default behavior once an allow is set.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control allow role test_role set system login role test_role level 14 set system login user test_user role test_role set system login user test_user authentication plaintext-password 1234 set system login role test_role2 level 13 set system login user test_user2 role test_role2 set system login user test_user2 authentication plaintext-password 1234
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh
Step 3: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. test_user@10.215.168.20's password: Welcome to Teldat OSDx v3.8.1.7-beta3 This system includes free software. Contact Teldat for licenses information and source code. test_user@osdx$
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20:
admin@DUT1$ ssh test_user2@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ED25519) to the list of known hosts. test_user2@10.215.168.20's password:
SSH Validate Role Configuration
Description
Check that the same role can not be allowed and denied at the same time.
Scenario
Step 1: Expect a failure in the following command:
Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set system login role testrole1 level 13 set system login user test_user authentication plaintext-password test_pass set system login user test_user role testrole1 set service ssh access-control allow role testrole1 set service ssh access-control deny role testrole1
SSH Validate User Configuration
Description
Check that the same user can not be allowed and denied at the same time.
Scenario
Step 1: Expect a failure in the following command:
Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.20/24 set system login user test_user authentication plaintext-password test_pass set service ssh access-control allow user test_user set service ssh access-control deny user test_user