SSH
This chapter covers some aspects related to the service ssh tool, which allows
you to configure the Secure SHell (SSH) protocol in OSDx.
SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote devices through an authentication mechanism. This protocol allows users to remotely connect to devices via console. In this way, devices can be accessed without being directly connected to the device.
SSH protocol is used by different services and tools offered by OSDx, the main options are described below.
Configuration
SSH has several options that you can customize, the main components are:
AAA: this option allows OSDx to control who has access to the network resources and also what they are allowed to use.Access-control: this option allows OSDx to control who has access to the device.Cryptographic options: this option contains 3 different cryptographic mechanisms that you can customize.Match: this option allows OSDx to give an specific configuration to a user or groups.
AAA
AAA is a security framework to control who has access to network resources.
This framework has 3 main components:
Authentication: the process of identifying a user.Authorization: the process of determining what the users are allowed to do with the resources.Accounting: the logging of all actions performed while authenticated.
This is the syntax to configure the behaviour of the service ssh aaa configuration in OSDx:
set service ssh aaa <component> <aaa-id>
Note
SSH protocol allows only 2 of the 3 options, authentication and accounting.
Here, you can find more information about this security framework.
Access-control
This tools allow us to control who has access to the device.
OSDx devices identify users by his name or role, so, you can configurate these devices to allow or deny the connection to an specific role or user.
This is the syntax to configure the behaviour of the service ssh access-control configuration in OSDx:
set service ssh access-control <action> <user/role> <id>
Cryptographic options
OSDx allows users to control what algorithms are using to different mechanisms. This could be useful in cases where the security is critical and you only want to allow connections with users who use specific algorithms.
SSH service uses these options for 3 different mechanisms:
Cipher: only allows SSH connections with an specific cipher algorithm.
Key-Exchange: only allows SSH connections with an specific key exchange algorithm.
MAC: only allows SSH connections with an specific HMAC algorithm.
This is the syntax to configure the behaviour of the service ssh cipher <id> configuration in OSDx:
set service ssh cipher <algorithm>
This is the syntax to configure the behaviour of the service ssh key-exchange <id> configuration in OSDx:
set service ssh key-exchange <algorithm>
This is the syntax to configure the behaviour of the service ssh mac <id> configuration in OSDx:
set service ssh mac <algorithm>
Tip
If you want to add multiples algorithms at the same time, you can specify it using this sintax:
set service ssh cipher <algorithm1>,<algorithm2>,<algorithm3>,...
set service ssh key-exchange <algorithm1>,<algorithm2>,<algorithm3>,...
set service ssh mac <algorithm1>,<algorithm2>,<algorithm3>,...
Match
This option allows OSDx devices to change different SSH options for different users, roles, hosts or addresses. This function can be useful for example if you want to grant permissions to certain users to be able to access with a public key instead of using a password. You can also use this option to allow certain users to have a different log-level and depending on your preferences, the user can see more or less logs.
This is the syntax to configure the behaviour of the service ssh match configuration in OSDx:
set service ssh match <user/group> <id> <option>
Important
OSDx uses a default configuration for this protocol if you do not put any options. The default configuration allows any cipher, key-exchange, HMAC algorithm implemented and allows access to any user created.
Examples
Remote connection to an OSDx device
Imagine you want to connect from your PC to an OSDx device. The default configuration has got a user called admin, so in your first log in you should use this user.
First of all, you must configure your OSDx device. To connect from your PC to the device, you must be connected through serial connection and give your device an IP address.
In OSDx, this can be achieved by setting the following commands:
# If you use DHCP protocol to get an IP address
set interfaces ethernet eth0 address dhcp
# If you want to give an static IP to your device
set interfaces ethernet eth0 address 10.0.0.0/24
Then you have to enable the service SSH for an OSDx device with this command:
set service ssh
Finally you are able to connect via SSH to an OSDx device.
Tip
If you are using Linux in your PC you can execute the following command and you will be connected to the device:
ssh admin@10.0.0.0
Enter the password for the user admin and you will be connected.
Here, you can find different examples of these options.
Command Summary
Configuration commands
service ssh match address <ipv4cidr|ipv6cidr> disable-password-authenticationservice ssh match address <ipv4cidr|ipv6cidr> keepalive-count-max <u32>service ssh match address <ipv4cidr|ipv6cidr> keepalive-interval <u32>service ssh match address <ipv4cidr|ipv6cidr> log-level <txt>service ssh match host <ipv4|ipv6> disable-password-authenticationservice ssh match host <ipv4|ipv6> keepalive-count-max <u32>service ssh match user <txt> disable-password-authentication