SSH Client Server Configuration
Overview
SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plain text, rendering them susceptible to packet analysis.[2] The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user.
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols. SSH uses the client- server model
TCP port 22 is assigned for contacting SSH servers. This document covers the SSH server configuration to enable SSH service and key generation and SSH client configuration for remote login to server.
In-band Management over Default VRF
OcNOS supports SSH over the default and management VRFs via the in-band management interface and out-of-band management interfaces, respectively.
SSH can run on the default and management VRFs simultaneously. By default, it runs on the management VRF.
SSH Configuration
SSH is performed with IPv4 and IPv6 addresses.
IPv4 Address Configuration
Topology
SSH sample topology
Basic Configuration
#configure terminal | Enter configure mode |
(config)#ssh login-attempts 2 vrf management | Set the number of login attempts to 2 |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Validation
#show ssh server
ssh server enabled port: 22
authentication-retries 2
#show running-config ssh server
feature ssh vrf management
ssh login-attempts 2 vrf management
SSH Client Session
When the device acts as an SSH client, it supports both SSH IPv4 sessions to log into the remote machine.
#ssh root@10.10.10.1 vrf management | Log into remote machine using an IPv4 address |
SSH Keys
Use the ssh key command to generate new RSA/DSA keys for the SSH server. By default, the system has RSA/DSA public/private key pair placed in /etc/ssh/. If you want to regenerate RSA keys, you must specify the force option.
Configuration
#ssh keygen host rsa vrf management | Specify the force option to regenerate SSH RSA keys. This option overwrites the existing key. |
Validation
#sh ssh key
****************RSA KEY********************
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMuVc0jpNgMyNzaqzIELX6LlsaK/1q7pBixmwHAGDsZm/dClTLb18AIB27W68YD8k0+Yw0LR0rHuPtNeSFMEsMaQxsaLkSi7yg86xSJaqgLQTyOUTS/OC9hreXkJ73ay
n0yXa8+bre0oyJq1NWxAI9B1jEhfSSAipoDSp/dmc93VJyV+3hgy1FMTAheyebQaUVeLBEMH7siRlSfyo7OHsBYSF6GzAmSuCm6PAelpHm/3L4gChcnPL+0outQOifCSLdUOXEZhTFXrzC61l+14LGt8pR6YN+2uEnU6kq1i
aDLEffIWK4dWCp67JUIef1BTOvxRurpssuRdslhJQXDFaj
bitcount: 2048 fingerprint: a4:23:5d:8a:5a:54:8b:3e:0b:38:06:79:82:e9:83:48
**************************************
****************DSA KEY********************
ssh-dsa AAAAB3NzaC1kc3MAAACBALpY6MFhFPYI+VcAHzHppnwVnNXv9oR/EGHUM50BBqdQE1Qi1mlt1rft4oa4tYR46P4gazKnnNfVE/97FwEbCZaXaz9Wzfcfa3ALtsvGdyNQQk2BebYiRnmeWnS3wGV0M/D64bAiV0
2p/LyF6D0ygMnZ3up3ttTN5QfHeyYQtwyzAAAAFQD+k6wQyr51IhXIQSsQD8by8qxjUwAAAIB0LxP3ljnfzxEXyEkNNzlxCcJ7ZZkFYUmtDJxRZlDceuSf4QipMrQVrdrgdqZNhrUiDWM/HaCMO9LdEQxfPh5TaIwPyccngn
VUS83Tx577ofBW6hellTey3B3/3I+FfiGKUXS/mZSyf5FW3swwyZwMkF0mV0SRCYTprnFt5qx8awAAAIEAjDNqMkyxUvB6JBqfo7zbGqXjBQmJ+dE8fGjI2znlgq4lhYcMZJVNwTiydDIgMVNFfKc1dAT3zr6qMZfGv56EbK
1qUu103K5CF44XfVkYNcHJV+/fcfAJasGU8W6oSbU5Q08abyMsIGRYTurOMkRhvif6sxvieEpVnVK2/nPVVXA=
bitcount: 1024 fingerprint: d9:7a:80:e0:76:48:20:72:a6:5b:1c:67:da:91:9f:52
**************************************
Note: The newly created rsa/dsa key can be verified by logging into the device from a remote machine and checking whether the newly created key's fingerprint matches with the logging session fingerprint.
IPv6 Address Configuration
SSH is performed with IPv6 IP and verified by logging in on remote PC.
Topology
Figure 4-5 shows the sample configuration of SSH.
SSH Configuration topology
DUT
#configure terminal | Enter configure mode |
(config)#ssh login-attempts 2 vrf management | Set the number of login attempts to 2 |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Validation
#show ssh server ssh server
ssh server enabled port: 22
authentication-retries 2
#show running-config ssh server
feature ssh vrf management
ssh login-attempts 2 vrf management
SSH Client Session
When the device acts as an SSH client, it supports both SSH IPv6 sessions to log into the remote machine.
#ssh root@2001::1 vrf management | Log into remote machine using an IPv6 address |
SSH Keys
Use the SSH key command to generate new RSA/DSA keys for the SSH server. By default, the system has RSA/DSA public/private key pair placed in /etc/ssh/. If you want to regenerate RSA keys, you must specify the force option.
#ssh keygen host rsa vrf management | Specify the force option to regenerate SSH RSA keys. This option overwrites the existing key. |
Validation
#sh ssh key ****************RSA KEY********************
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMuVc0jpNgMyNzaqzIELX6LlsaK/ 1q7pBixmwHAGDsZm/ dClTLb18AIB27W68YD8k0+Yw0LR0rHuPtNeSFMEsMaQxsaLkSi7yg86xSJaqgLQTyOUTS/ OC9hreXkJ73ay n0yXa8+bre0oyJq1NWxAI9B1jEhfSSAipoDSp/ dmc93VJyV+3hgy1FMTAheyebQaUVeLBEMH7siRlSfyo7OHsBYSF6GzAmSuCm6PAelpHm/ 3L4gChcnPL+0outQOifCSLdUOXEZhTFXrzC61l+14LGt8pR6YN+2uEnU6kq1i aDLEffIWK4dWCp67JUIef1BTOvxRurpssuRdslhJQXDFaj bitcount: 2048 fingerprint: a4:23:5d:8a:5a:54:8b:3e:0b:38:06:79:82:e9:83:48 **************************************
****************DSA KEY********************
ssh-dsa AAAAB3NzaC1kc3MAAACBALpY6MFhFPYI+VcAHzHppnwVnNXv9oR/ EGHUM50BBqdQE1Qi1mlt1rft4oa4tYR46P4gazKnnNfVE/ 97FwEbCZaXaz9Wzfcfa3ALtsvGdyNQQk2BebYiRnmeWnS3wGV0M/D64bAiV0 2p/ LyF6D0ygMnZ3up3ttTN5QfHeyYQtwyzAAAAFQD+k6wQyr51IhXIQSsQD8by8qxjUwAAAIB0LxP3ljn fzxEXyEkNNzlxCcJ7ZZkFYUmtDJxRZlDceuSf4QipMrQVrdrgdqZNhrUiDWM/ HaCMO9LdEQxfPh5TaIwPyccngn VUS83Tx577ofBW6hellTey3B3/3I+FfiGKUXS/ mZSyf5FW3swwyZwMkF0mV0SRCYTprnFt5qx8awAAAIEAjDNqMkyxUvB6JBqfo7zbGqXjBQmJ+dE8fG jI2znlgq4lhYcMZJVNwTiydDIgMVNFfKc1dAT3zr6qMZfGv56EbK1qUu103K5CF44XfVkYNcHJV+/ fcfAJasGU8W6oSbU5Q08abyMsIGRYTurOMkRhvif6sxvieEpVnVK2/nPVVXA= bitcount: 1024 fingerprint: d9:7a:80:e0:76:48:20:72:a6:5b:1c:67:da:91:9f:52 **************************************
SSH Encryption Cipher
Specify an SSH cipher to encrypt an SSH session. By default, all the ciphers are supported for a new SSH client to connect to the SSH server.
SSH supports these encryption algorithms:
• Advanced Encryption Standard Counter:
• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-cbc
• Advanced Encryption Standard Cipher Block Chaining:
• aes192-cbc
• aes256-cbc
• Triple Data Encryption Standard Cipher Block Chaining:
• 3des-cbc
Configuration
#configure terminal | Enter configure mode |
(config)#ssh server algorithm encryption aes128-ctr vrf management | Set the SSH server encryption algorithm to AES 128 bit counter |
(config)#ssh server algorithm encryption aes128-cbc vrf management | Set the SSH server encryption algorithm to AES 128 cipher block chaining |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode |
Validation
The new cipher encryption algorithm takes effect for a new incoming ssh client connection.
#show running-config ssh server
feature ssh vrf management
ssh server algorithm encryption aes128-ctr aes128-cbc vrf management
SSH Client Session
#ssh cipher aes128-ctr root@1.1.1.1 vrf management | Specify AES 128-bit counter encryption to establish an SSH connection to a remote machine using an IPv4 address |
SSH Key-Based Authentication
Enable OcNOS device SSH server to perform public key based SSH authentication, to enable machine to machine communication possible without requiring password. Public key based authentication increases the trust between two Linux servers for easy file synchronization or transfer. Public-key authentication with SSH is more secure than password authentication, as it provides much stronger identity checking through keys.
Topology
SSH Key-based authentication
Public Key Authentication Method
The server has the public key of the user stored; using this the server creates a random value, encrypts it with the public key and sends it to the user. If the user is who is supposed to be, he can decrypt the challenge using the private key and send it back to the server, server uses the public key again to decrypt received message to confirm the identity of the user. SSH is supported in-band (default VRF) and out of band (management VRF). Installed keys are stored in the ~/.ssh/authorized_keys file.
SSH key based authentication steps:
1. Login to remote machine Linux desktop (ssh client) and generate the key pair using the ssh-keygen command.
2. Create the username in OcNOS device (ssh server).
3. Install the public key of remote Linux ssh client in the OcNOS device.
4. Display the installed key in the OcNOS device using the show running-config command.
5. Log in from the remote Linux ssh client to the OcNOS device without providing a password.
Useful Commands on Remote Desktop Client
# ssh-keygen | To generate key pair on remote Linux machine (ssh client) |
# cd /bob/.ssh/ | To go to the location of saved key pair |
# cat id_rsa.pub | Command to display the generated public key in remote Linux client |
Configuration commands in OcNOS
(config)#configure terminal | Enter configure mode. |
(config)#feature ssh vrf management | Enable the SSH feature on vrf management. To enable in default vrf give the command "feature ssh" |
(config)#username fred | To create username with default role as network-user. To create user with different role specify role using command "username <username> role <role_name> |
(config)#username fred sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain | Install the public key of remote Linux client in OcNOS device. |
(config)#commit | Commit the candidate configuration to the running configuration |
(config)#exit | Exit configure mode. |
Validation
The new cipher encryption algorithm takes effect for a new incoming ssh client connection.
#show running-config
<skipped other content>
feature ssh vrf management
username fred role network-user
username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
<skipped other content>
#show running-config ssh server
feature ssh vrf management
SSH Key-based Client Session
#ssh fred@10.10.26.186 | Specify user name and ip address to access the device. Supports IPv4 and IPv6.User should be able to access without password and through key based authentication |
Restrictions
• Key generation or installation are not supported for "root" user account in OcNOS device.
• Third party SSH utilities cannot be used for key installation, rather OcNOS CLI is the only way to install public keys.
Sample Use Case
1. Login to remote machine linux desktop (ssh client) and generate the key pair using the ssh-keygen command.
[bob@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/bob/.ssh/id_rsa):
/bob/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /bob/.ssh/id_rsa.
Your public key has been saved in /bob/.ssh/id_rsa.pub.
The key fingerprint is:
b2:d0:cc:d2:dd:db:3d:05:c1:33:fc:4a:df:8e:85:af bob@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| o. |
| =. |
| .+ |
| = . . ...|
| o * S . . +o|
| o o o .o.+|
| . . . o= |
| ..o|
| E. |
+-----------------+
[bob@localhost ~]# cd /bob/.ssh/
[bob@localhost .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
[bob@localhost .ssh]#
2. Create username in OcNOS switch device (ssh server)
(config)#username fred
Note: By default, the user role is network-user.
3. Install the public key of remote Linux ssh client in OcNOS device.
(config)#username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
4. Display the installed key in OcNOS device using the show running-config command.
#show running-config
<skipped other content>
username fred role network-user
username fred sshkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8XhFiGlZP6yY6qIWUkew884NvqXqMPSOw3fQe5kgpXvX0SbcU15axI/VHVgU2Y0/ogAtRUlAk5soRrf5lZ2+rT0zNP37m+Tm5HIEFKZZut0FffGSuXtPKbE+GGlQYHEzC8RSnqQuHlxrlve3lGbB1UUxuWhMzJfgc2vZ78V2znd2zk4ygiN1jx1sE8UI98WyIcwuq44tzuIaUYAICIfrQJXriQml+QcJ9NER5O8rMS5D5NnTVh1nroqoozY8i/qMKfhCFMbysjiDMHU9GclNsNbIF/DQbvWEskFFEvf6fOrzXyvq26NpgaJnZ4pQVzgkOaVw16Cy3csoTncw0vyXV bob@localhost.localdomain
<skipped other content>
5. Login from remote Linux ssh client to OcNOS device without providing password
[bob@localhost .ssh]# ssh fred@10.10.26.186