=== SSH === .. sidebar:: Contents .. contents:: :depth: 3 :local: This chapter covers some aspects related to the :osdx:cfg:`service ssh` tool, which allows you to configure the **Secure SHell (SSH)** protocol in OSDx. SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote devices through an authentication mechanism. This protocol allows users to remotely connect to devices via console. In this way, devices can be accessed without being directly connected to the device. SSH protocol is used by different services and tools offered by OSDx, the main options are described below. Configuration ============= SSH has several options that you can customize, the main components are: * ``AAA``: this option allows OSDx to control who has access to the network resources and also what they are allowed to use. * ``Access-control``: this option allows OSDx to control who has access to the device. * ``Cryptographic options``: this option contains 3 different cryptographic mechanisms that you can customize. * ``Match``: this option allows OSDx to give an specific configuration to a user or groups. AAA --- AAA is a security framework to control who has access to network resources. This framework has 3 main components: * ``Authentication``: the process of identifying a user. * ``Authorization``: the process of determining what the users are allowed to do with the resources. * ``Accounting``: the logging of all actions performed while authenticated. This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh aaa` configuration in OSDx: .. code-block:: none set service ssh aaa .. note:: SSH protocol allows only 2 of the 3 options, authentication and accounting. :doc:`Here `, you can find more information about this security framework. Access-control -------------- This tools allow us to control who has access to the device. OSDx devices identify users by his name or role, so, you can configurate these devices to allow or deny the connection to an specific role or user. This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh access-control` configuration in OSDx: .. code-block:: none set service ssh access-control Cryptographic options --------------------- OSDx allows users to control what algorithms are using to different mechanisms. This could be useful in cases where the security is critical and you only want to allow connections with users who use specific algorithms. SSH service uses these options for 3 different mechanisms: * ``Cipher``: only allows SSH connections with an specific cipher algorithm. * ``Key-Exchange``: only allows SSH connections with an specific key exchange algorithm. * ``MAC``: only allows SSH connections with an specific HMAC algorithm. This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh cipher *` configuration in OSDx: .. code-block:: none set service ssh cipher This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh key-exchange *` configuration in OSDx: .. code-block:: none set service ssh key-exchange This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh mac *` configuration in OSDx: .. code-block:: none set service ssh mac .. tip:: If you want to add multiples algorithms at the same time, you can specify it using this sintax:: set service ssh cipher ,,,... set service ssh key-exchange ,,,... set service ssh mac ,,,... Match ----- This option allows OSDx devices to change different SSH options for different users, roles, hosts or addresses. This function can be useful for example if you want to grant permissions to certain users to be able to access with a public key instead of using a password. You can also use this option to allow certain users to have a different log-level and depending on your preferences, the user can see more or less logs. This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh match` configuration in OSDx: .. code-block:: none set service ssh match