Ssh Mac

Test suite for validating SSH access control options

SSH Connection Specific MAC

Description

Sets the SSH service to only accept a single HMAC (HMAC-SHA2-512) and checks that a client can connect to the remote server using that MAC. Later, checks that using a different MAC does indeed fail.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.20/24
set service ssh mac hmac-sha2-512
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.215.168.21/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Ping IP address 10.215.168.20 from DUT1:

admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1
Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data.
64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.280 ms

--- 10.215.168.20 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.280/0.280/0.280/0.000 ms

Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:

admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes256-ctr mac hmac-sha2-512
Show output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts.
admin@10.215.168.20's password:
Welcome to Teldat OSDx v4.2.1.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Oct  7 12:04:44 2024 from 10.215.168.21
admin@osdx$

Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:

admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes256-ctr mac hmac-md5

SSH Connection Multiple MACs

Description

Sets the SSH service to accept multiple HMACs (HMAC-SHA2-512 and HMAC-SHA1) and checks that a client can connect to the remote server using those MACs. Later on, checks that using a different MAC does indeed fail.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces ethernet eth0 address 10.215.168.20/24
set service ssh mac hmac-sha1,hmac-sha2-512
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 10.215.168.21/24
set service ssh
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Ping IP address 10.215.168.20 from DUT1:

admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1
Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data.
64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.366 ms

--- 10.215.168.20 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.366/0.366/0.366/0.000 ms

Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:

admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes256-ctr mac hmac-sha2-512
Show output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts.
admin@10.215.168.20's password:
Welcome to Teldat OSDx v4.2.1.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Oct  7 12:05:10 2024 from 10.215.168.21
admin@osdx$

Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:

admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes256-ctr mac hmac-sha1
Show output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts.
admin@10.215.168.20's password:
Welcome to Teldat OSDx v4.2.1.0

This system includes free software.
Contact Teldat for licenses information and source code.

Last login: Mon Oct  7 12:05:37 2024 from 10.215.168.21
admin@osdx$

Step 6: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:

admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/null cipher aes256-ctr mac hmac-md5