=== SSH === .. sidebar:: Contents .. contents:: :depth: 3 :local: This chapter covers some aspects related to the :osdx:cfg:`service ssh` tool, which allows you to configure the **Secure SHell (SSH)** protocol in OSDx. SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote devices through an authentication mechanism. This protocol allows users to remotely connect to devices via console. In this way, devices can be accessed without the need for a direct connection. SSH protocol is used by different services and tools offered by OSDx. The main options are described below. Configuration ============= SSH has several options that you can customize. The main components are: * ``AAA``: this option allows OSDx to control who has access to network resources and what can be used. * ``Access-control``: this option allows OSDx to control who has access to the device. * ``Cryptographic options``: this option contains 3 different cryptographic mechanisms that you can customize. * ``Match``: this option allows OSDx to give a specific configuration to a user or groups. AAA --- AAA is a security framework to control who has access to network resources. This framework has 3 main components: * ``Authentication``: the process of identifying a user. * ``Authorization``: the process of determining what use can be made of resources. * ``Accounting``: the logging of all actions performed while authenticated. This is the syntax to configure the behaviour of the :osdx:cfg:`service ssh aaa` configuration in OSDx: .. code-block:: none set service ssh aaa .. note:: SSH protocol allows only 2 of the 3 options, authentication and accounting. :doc:`Here ` you can find more information about this security framework. Access-control -------------- This tool allows us to control who has access to the device. OSDx devices identify users by their name or role, meaning you can configure devices to allow or deny connection for specific roles or users. The syntax to configure the behaviour of the :osdx:cfg:`service ssh access-control` configuration in OSDx is as follows: .. code-block:: none set service ssh access-control Cryptographic options --------------------- OSDx allows users to control what algorithms are used to different mechanisms. This could be useful in cases where security is critical and you only want users who use specific algorithms to connect. SSH service uses these options for 3 different mechanisms: * ``Cipher``: only allows SSH connections with a specific cipher algorithm. * ``Key-Exchange``: only allows SSH connections with a specific key exchange algorithm. * ``MAC``: only allows SSH connections with a specific HMAC algorithm. The syntax to configure the behaviour of the :osdx:cfg:`service ssh cipher *` configuration in OSDx is as follows: .. code-block:: none set service ssh cipher The syntax to configure the behaviour of the :osdx:cfg:`service ssh key-exchange *` configuration in OSDx is as follows: .. code-block:: none set service ssh key-exchange The syntax to configure the behaviour of the :osdx:cfg:`service ssh mac *` configuration in OSDx is as follows: .. code-block:: none set service ssh mac .. tip:: If you want to add multiples algorithms at the same time, you can do so using this syntax:: set service ssh cipher ,,,... set service ssh key-exchange ,,,... set service ssh mac ,,,... Match ----- This option allows OSDx devices to change different SSH options for different users, roles, hosts or addresses. This function can be useful if you want to grant certain users access using a public key instead of a password. You can also use this option to give certain users a different log-level and, depending on your preferences, allow them to see more or less logs. The syntax to configure the behaviour of the :osdx:cfg:`service ssh match` configuration in OSDx is as follows: .. code-block:: none set service ssh match