Match Role Disable-Password-Authentication
SSH connection test with match role disable-password-authentication configuration. Tests that SSH server correctly blocks password authentication only for users with admin role while allowing it for monitor and operator roles.
SSH Match Role Admin Disable Password Auth
Description
Test SSH match role with disable-password-authentication for admin role only.
Admin user should fail to connect, while monitor and operator users should succeed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match role admin disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$ZY.wgFqA4WCoQalq$EBA3g5Dffo/mV/V76JwagMNXsae/yXnGTM5WjsstbmhodQ/GVPl6JqRVCgH2IsOAqHTJBoj5ccZcogANOdUua1' set system login user testadmin role admin set system login user testmonitor authentication encrypted-password '$6$d/ytpKW2twkNh.xr$zA8lZHtl81hHd9EwM7k8MACJTWb3FQ3j6PYjvUtvLPbI.FZCzwPdhIqHKmGcIEH0ZXcOP00cQtjjQd7WKQKTR1' set system login user testmonitor role monitor set system login user testoperator authentication encrypted-password '$6$FRiyewBv0oyXclBI$ePSDHI7btTasiDK2.SlpQ58gdRRRO7cGj0HfAgsofTWeXWmy9inC8IJqHnuqPERTEHb9bmw9olVE7mHDFvQd90' set system login user testoperator role operator
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.488 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.488/0.488/0.488/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testmonitor:
admin@DUT1$ ssh testmonitor@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testmonitor@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testmonitor@osdx$
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testoperator:
admin@DUT1$ ssh testoperator@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testoperator@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testoperator@osdx$
Step 6: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testadmin which is going to fail:
admin@DUT1$ ssh testadmin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testadmin@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$
SSH Match Role Monitor Disable Password Auth
Description
Test SSH match role with disable-password-authentication for monitor role only.
Monitor user should fail to connect, while admin and operator users should succeed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match role monitor disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$VwmHZ2PyjxeHqsTC$HNqtN6zgvlDaLkJzB7Rjw0793FrzJvwWXMrQQrEOP3oXb2CyAetW3TMUj1j1vcfEQ2JCX2AbiqmWguBvfefOv.' set system login user testadmin role admin set system login user testmonitor authentication encrypted-password '$6$YH9tspD.1T18KtoP$PLr1SLxCwrjyl6lX3ufKaalIJZ/by.6rJz0PuwKutroG3FmQ5Me55OD6irEKxQsrOStlpijd/JfTTUpDeB/Xg0' set system login user testmonitor role monitor set system login user testoperator authentication encrypted-password '$6$Ub7m8ZIee5igzPQp$QlIS7k1juD0GTVVnXFe/1b2rYLWG64PekBC5P14ex0hoWYGIkKj0xFN8iZdn0GxaaETxEegrqgQB/lwLvLDu70' set system login user testoperator role operator
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.386 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.386/0.386/0.386/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testadmin:
admin@DUT1$ ssh testadmin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testadmin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testadmin@osdx$
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testoperator:
admin@DUT1$ ssh testoperator@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testoperator@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testoperator@osdx$
Step 6: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testmonitor which is going to fail:
admin@DUT1$ ssh testmonitor@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testmonitor@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$
SSH Match Role Operator Disable Password Auth
Description
Test SSH match role with disable-password-authentication for operator role only.
Operator user should fail to connect, while admin and monitor users should succeed.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match role operator disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testadmin authentication encrypted-password '$6$4tFdiI6V9TXEQGKK$iw6e0QvlYPA1F5WaK8CJSMQwHYyvLs36c/SSCWr9IJsNR6.oWLwYaLX5StUudPWhmjsfVHVIBvIBQESgqLC5I0' set system login user testadmin role admin set system login user testmonitor authentication encrypted-password '$6$ELKF.U7HWm47A.1s$YGs7zjPazL7UFaZlAul2WH.HoTRcX.N6y4CIF/6kUo1IkovlXSKzx6KsM2SeKpelPAiwfe4jRGyPhmnPsg/K9/' set system login user testmonitor role monitor set system login user testoperator authentication encrypted-password '$6$GOTzq183CKP1.xnW$1PBp8ZsaNRTZtW3yAf/gjLyp1.DhQcuCSCRcs9fcdfVD56JB68AGfdPnEDRvdEN82BCe9.aiwqUwmniwRcng71' set system login user testoperator role operator
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.350 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.350/0.350/0.350/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testadmin:
admin@DUT1$ ssh testadmin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testadmin@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testadmin@osdx$
Step 5: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testmonitor:
admin@DUT1$ ssh testmonitor@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testmonitor@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testmonitor@osdx$
Step 6: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testoperator which is going to fail:
admin@DUT1$ ssh testoperator@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testoperator@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$