SSH

This chapter covers some aspects related to the service ssh tool, which allows you to configure the Secure SHell (SSH) protocol in OSDx.

SSH, or Secure Shell, is a remote administration protocol that allows users to control and modify their remote devices through an authentication mechanism. This protocol allows users to remotely connect to devices via console. In this way, devices can be accessed without the need for a direct connection.

SSH protocol is used by different services and tools offered by OSDx. The main options are described below.

Configuration

SSH has several options that you can customize. The main components are:

  • AAA: this option allows OSDx to control who has access to network resources and what can be used.

  • Access-control: this option allows OSDx to control who has access to the device.

  • Cryptographic options: this option contains 3 different cryptographic mechanisms that you can customize.

  • Match: this option allows OSDx to give a specific configuration to a user or groups.

AAA

AAA is a security framework to control who has access to network resources.

This framework has 3 main components:

  • Authentication: the process of identifying a user.

  • Authorization: the process of determining what use can be made of resources.

  • Accounting: the logging of all actions performed while authenticated.

This is the syntax to configure the behaviour of the service ssh aaa configuration in OSDx:

set service ssh aaa  <component> <aaa-id>

Note

SSH protocol allows only 2 of the 3 options, authentication and accounting.

Here you can find more information about this security framework.

Access-control

This tool allows us to control who has access to the device.

OSDx devices identify users by their name or role, meaning you can configure devices to allow or deny connection for specific roles or users.

The syntax to configure the behaviour of the service ssh access-control configuration in OSDx is as follows:

set service ssh access-control <action> <user/role> <id>

Cryptographic options

OSDx allows users to control what algorithms are used to different mechanisms. This could be useful in cases where security is critical and you only want users who use specific algorithms to connect.

SSH service uses these options for 3 different mechanisms:

  • Cipher: only allows SSH connections with a specific cipher algorithm.

  • Key-Exchange: only allows SSH connections with a specific key exchange algorithm.

  • MAC: only allows SSH connections with a specific HMAC algorithm.

The syntax to configure the behaviour of the service ssh cipher <id> configuration in OSDx is as follows:

set service ssh cipher <algorithm>

The syntax to configure the behaviour of the service ssh key-exchange <id> configuration in OSDx is as follows:

set service ssh key-exchange <algorithm>

The syntax to configure the behaviour of the service ssh mac <id> configuration in OSDx is as follows:

set service ssh mac <algorithm>

Tip

If you want to add multiples algorithms at the same time, you can do so using this syntax:

set service ssh cipher <algorithm1>,<algorithm2>,<algorithm3>,...
set service ssh key-exchange <algorithm1>,<algorithm2>,<algorithm3>,...
set service ssh mac <algorithm1>,<algorithm2>,<algorithm3>,...

Match

This option allows OSDx devices to change different SSH options for different users, roles, hosts or addresses. This function can be useful if you want to grant certain users access using a public key instead of a password. You can also use this option to give certain users a different log-level and, depending on your preferences, allow them to see more or less logs.

The syntax to configure the behaviour of the service ssh match configuration in OSDx is as follows:

set service ssh match <user/group> <id> <option>

Important

If you do not insert any options, OSDx uses a default configuration for this protocol. The default configuration allows any previously implemented cipher, key-exchange, or HMAC algorithm and gives access to users that were already created.

Examples

Remote connection to an OSDx device

Imagine you want to connect to an OSDx device from your PC. The default configuration has a user called admin (the one you should use in your first log).

First, you must configure your OSDx device. To connect from your PC to the device, you must use serial connection and give your device an IP address.

In OSDx, this can be achieved by entering the following commands:

# If you use DHCP protocol to get an IP address
set interfaces ethernet eth0 address dhcp
# If you want to give a static IP to your device
set interfaces ethernet eth0 address 10.0.0.0/24

Then, you must enable the service SSH for an OSDx device using this command:

set service ssh

You will then be able to connect to an OSDx device via SSH.

Tip

If you are using Linux in your PC, you can execute the following command to connect to the device:

ssh admin@10.0.0.0

Enter the password for the admin user and you will be connected.

Here you will find different examples of these options.

Limit the number of concurrent connections to an OSDx device

Imagine you want to limit the number of concurrent SSH connections to an OSDx device. To do this, you have to configure the traffic policies in your OSDx device using the following commands:

set traffic selector SEL rule 1 connlimit 2
set traffic selector SEL rule 1 protocol tcp
set traffic selector SEL rule 1 state new
set traffic selector SEL rule 1 destination port 22
set traffic policy POL rule 1 action drop
set traffic policy POL rule 1 selector SEL
set interfaces ethernet eth0 traffic policy local-in POL
set service ssh

In this case, concurrent SSH connections are limited to 2. If you attempt multiple SSH connections to your OSDx device, only two will be established at the same time.

Here you can find different examples for these options.

Command Summary

Configuration commands

Operational commands