Ssh Access Control
Test suite for validating SSH access control options
SSH User Deny
Description
Check that enforcing a user denial will work as expected. Test_user is set to be
denied through SSH connection, then a connection through this user is tried expecting
failure to connect. Admin user that hasn’t been denied is also tested to confirm unchanged
behavior in this case.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control deny user test_user set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user test_user authentication encrypted-password '$6$VCgs3BdlqrpCxUVr$HPz7dX0LfHtgDpTmjRk.F8eCG7XKpbkCZdd4V1u1mDSpNw8BcpxL5pxGzK.DXuDwVuMcUSbBY97lbXZjrt8Uq1'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.365 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user test_user:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. test_user@10.215.168.20's password:
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. admin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.5.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 13 16:57:00 2025 from 10.215.168.21 admin@osdx$
SSH User Allow
Description
Check that allowing a user will only let that user connect to the device.
Test_user is set to be unallowed through SSH connection, then a connection through
this user is tried expecting to connect unsuccessfully. The next step will try a SSH connection
through Admin which is the allowed user, then the connection is succesfull.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control allow user admin set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user test_user authentication encrypted-password '$6$nFIkkq4ZC96roYy2$D5CRW7KZOQkNQW5IDSjxXAMGjOBVToyL7zSDRx9.g2kfapJ7m25b/4Yqi/a4Mh3AC2/z1pXq6PHEIzelWLLRo.'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.363 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.363/0.363/0.363/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user test_user:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. test_user@10.215.168.20's password:
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. admin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.5.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 13 16:57:38 2025 from 10.215.168.21 admin@osdx$
SSH Role Deny
Description
Check that enforcing a role denial will work as expected. Test_user and test_role are created
and then the role is assigned to the user. The role is set to be unallowed through SSH connection, then a connection
through this user is tried expecting a failure. The admin user is also tried to ensure that users that haven’t been
denied can still access the router.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control deny role test_role set system login role test_role level 14 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user test_user authentication encrypted-password '$6$zI5tLscqzyzoi7Sn$HQJtFXNY3MqpIi19iWpBsvoqeFo3p/bKobQXLarEUHpyLez1xwUfy30cGBgJKiJChDSel8ZI5DNfh56IPnOPD/' set system login user test_user role test_role
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.235 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.235/0.235/0.235/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user test_user:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. test_user@10.215.168.20's password:
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. admin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.5.0 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue May 13 16:58:16 2025 from 10.215.168.21 admin@osdx$
SSH Role Allow
Description
Check that enforcing a role permission will work as expected. Two users and two roles are created.
The roles are assigned to each of the users. Test_role is then allowed and an SSH connection is tried
with the test_user assigned that role, expecting to succeed.
Test_user2 is tried to ensure the deny by default behavior once an allow is set.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh access-control allow role test_role set system login role test_role level 14 set system login role test_role2 level 13 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user test_user authentication encrypted-password '$6$W596j.F4T7qCuRRo$cezNKnBZGMm3xESUUNJkqIJ2Cu2JEa2PKwSf8eFdlHV6XhWTMhcUJYUM9zaP1kQqQIvTKrxKPs4KmAeC8JLKC1' set system login user test_user role test_role set system login user test_user2 authentication encrypted-password '$6$YNJ1HHBiS2GWQMJL$v/koHZ9vSxecw2ca7GyPoQ0cBRhnBem40cwhtq.RuWPsGtwXCtIbvm1JVSnB.HuH4jhklmw3fdC.Eb/CNwDLK.' set system login user test_user2 role test_role2
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.352 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.352/0.352/0.352/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user test_user:
admin@DUT1$ ssh test_user@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. test_user@10.215.168.20's password: Welcome to Teldat OSDx v4.2.5.0 This system includes free software. Contact Teldat for licenses information and source code. test_user@osdx$
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user test_user2:
admin@DUT1$ ssh test_user2@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. test_user2@10.215.168.20's password: