Match Role Disable-Password-Authentication
SSH connection test with match role disable-password-authentication configuration. Tests that SSH server correctly blocks password authentication only for users with admin role while allowing it for monitor and operator roles.
SSH Match Role Admin Disable Password Auth
Description
Test SSH match role with disable-password-authentication for admin role only.
Admin user should fail to connect, while monitor and operator users should succeed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match role admin disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$oCDu7byFTk0CTB7c$39JvcfHS2mEWduX.YiOn1xNWidh..cfytnr1fRLlyFGgATDNthUsW7K.8dtnItA1CDrbc.O7a8c05YUkuFm.o.' set system login user testadmin role admin set system login user testmonitor authentication encrypted-password '$6$zYaZXeU4vlnesLmS$d3vPWPVkAKe0KyXiB47Cv3WeGDmGRBDhsKOzizeaPlfrY.VZrtfCxckBooGQTCYOUdxq0bADZjZUFdeJtmSNx1' set system login user testmonitor role monitor set system login user testoperator authentication encrypted-password '$6$EJOfUy8p2JIKblZO$UKOTgQJu0fuNR.iMmQqxIc5nhB5dtEr5TMn7xP8/k0n7uCrH3qw/uQle6gWD9.a5DIWZ6qQEE5VC3mIWJ3cgH.' set system login user testoperator role operator
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.621 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.621/0.621/0.621/0.000 ms
Step 4: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testmonitor:
admin@DUT1$ ssh testmonitor@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testmonitor@10.215.168.20's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. testmonitor@osdx$
Step 5: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testoperator:
admin@DUT1$ ssh testoperator@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testoperator@10.215.168.20's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. testoperator@osdx$
Step 6: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testadmin which is expected to fail:
admin@DUT1$ ssh testadmin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testadmin@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$
SSH Match Role Monitor Disable Password Auth
Description
Test SSH match role with disable-password-authentication for monitor role only.
Monitor user should fail to connect, while admin and operator users should succeed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match role monitor disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$YZcY712f7XeKGGnO$oP4lwP71DWfm1cl3w8muvIAbzhImIoE/hQozhBFtUxoadnLQOlUg6sB57r78u10kv4NEGx0EcyNI8lg5dtj950' set system login user testadmin role admin set system login user testmonitor authentication encrypted-password '$6$pdxcYVJn9SLbymUb$g/82vEBP9Zo9cpu1DVCYNE9GCfj8YYG4Un1WD34hpd0f15wA8LoutX9Tz9vV6oZBIjhNKvy9o7GHgQlO4XWaz1' set system login user testmonitor role monitor set system login user testoperator authentication encrypted-password '$6$Bs5PSmxT7duE4uIu$RO/By9d/P2CCDuDiKga6V7GY8h3k3Nt6oQJ5Yb6AgYCGLHcjs/2Yw.0UfTxIPXiV0Ln38WKjGDtrjB8sqbGRl1' set system login user testoperator role operator
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.587 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.587/0.587/0.587/0.000 ms
Step 4: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testadmin:
admin@DUT1$ ssh testadmin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testadmin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. testadmin@osdx$
Step 5: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testoperator:
admin@DUT1$ ssh testoperator@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testoperator@10.215.168.20's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. testoperator@osdx$
Step 6: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testmonitor which is expected to fail:
admin@DUT1$ ssh testmonitor@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testmonitor@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$
SSH Match Role Operator Disable Password Auth
Description
Test SSH match role with disable-password-authentication for operator role only.
Operator user should fail to connect, while admin and monitor users should succeed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match role operator disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$WFMvUBHIx0L6.vn0$BuxbuTMtgA02K6ukFRTxfF9Cp.fHGLhgHfiTa1vEBugV8LJnRP5ZPhHKF6VV5EZzl.EU57sX7CZJiAaVhN.Xy/' set system login user testadmin role admin set system login user testmonitor authentication encrypted-password '$6$fZ90rKehkkZfrJXb$uV5NiIa//2fQ3LSPaeJ7xKiRkR.CeB4LGpW2TOIbuUTILvZnfw.ypI5jCgyWTKID30Dz8F7T1.SD0c8VjocG50' set system login user testmonitor role monitor set system login user testoperator authentication encrypted-password '$6$CO8BhWKD4jLGuL8b$0P6mFTXunRBotVInVUowDgr3ZqYkWVh31FxyaFvDNiLB2APvKA74e2batjxJOavCZ4KNAuFu2oYENTRBiBcX40' set system login user testoperator role operator
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.560 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.560/0.560/0.560/0.000 ms
Step 4: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testadmin:
admin@DUT1$ ssh testadmin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testadmin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. testadmin@osdx$
Step 5: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testmonitor:
admin@DUT1$ ssh testmonitor@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testmonitor@10.215.168.20's password: Welcome to Teldat OSDx v4.2.10.0 This system includes free software. Contact Teldat for licenses information and source code. testmonitor@osdx$
Step 6: Initiate an SSH connection from DUT1 to IP address 10.215.168.20 using user testoperator which is expected to fail:
admin@DUT1$ ssh testoperator@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testoperator@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$