Match User Disable-Password-Authentication
SSH connection test with match user admin disable-password-authentication configuration. Tests that SSH server correctly blocks password authentication only for the admin user while allowing it for other users.
SSH Connection Admin User Password Authentication Disabled
Description
SSH connection with admin user should fail
because password authentication is disabled for admin user only
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match user admin disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testuser authentication encrypted-password '$6$QLN0vESYowOa6daq$Zuk5Z5Lj.yVCHN5XSW7Z41G5BvlYwzUgro/TbUQHTw9NXtnUn6fKlgMwZg2oi2RqQ3jk6MlmMmpsB2v2O8JZ3/'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.432 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.432/0.432/0.432/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user admin which is going to fail:
admin@DUT1$ ssh admin@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. admin@10.215.168.20: Permission denied (publickey). CLI Error: Invalid token [option] CLI Error: Command error admin@osdx$
SSH Connection Test User Password Authentication Enabled
Description
SSH connection with testuser should succeed
because password authentication is only disabled for admin, not for other users
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.20/24 set service ssh match user admin disable-password-authentication set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system login user testuser authentication encrypted-password '$6$o/4stqvy7A/ttf5D$nK5TI5aDm9xnml7foJqVSeN1BKBhiDCtkLMY.DU7yD4swFsyMMv/NQWD63b8Aw2xIYqEcnWtpANqkBGfAz5P01'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.21/24 set service ssh set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.20 from DUT1:
admin@DUT1$ ping 10.215.168.20 count 1 size 56 timeout 1Show output
PING 10.215.168.20 (10.215.168.20) 56(84) bytes of data. 64 bytes from 10.215.168.20: icmp_seq=1 ttl=64 time=0.593 ms --- 10.215.168.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.593/0.593/0.593/0.000 ms
Step 4: Init an SSH connection from DUT1 to IP address 10.215.168.20 with the user testuser:
admin@DUT1$ ssh testuser@10.215.168.20 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '10.215.168.20' (ECDSA) to the list of known hosts. testuser@10.215.168.20's password: Welcome to Teldat OSDx v4.2.8.1 This system includes free software. Contact Teldat for licenses information and source code. testuser@osdx$