12.

6 SSH Configuration
12.6.1 Introduction to SSH
When routers are connected by remote users across insecure networks, secure shell (SSH) can provide them authentication and security fencing off IP spoofing, plain-text password interception and other attacks. Your router can work as an SSH server or/and an SSH client. As an SSH server, it may accept connections from multiple SSH clients; as an SSH client, it can establish SSH connections with the routers and UNIX hosts working as SSH servers. Currently, SSH 2.0 is supported. Figure 12-9 and Figure 12-10 illustrate two methods for establishing an SSH channel between a client and a server:

Connect through a LAN Connect through a WAN

Figure 12-9 Establish an SSH channel in a LAN

Figure 12-10 Establish an SSH channel through a WAN To establish an SSH connection, the server and the client must go through the following five phases: 1) Version number negotiation

2)

The client starts a TCP connection to the server. After the TCP connection is established, the server and the client negotiate a version number. If the negotiation succeeds, the key algorithm negotiation phase starts; otherwise, the server tears down the TCP connection. Key algorithm negotiation The server generates an RSA key pair and an 8-byte random number, and sends the portion of the public key and the random number to the client. Both the server and the client use the public key of the server and the 8-byte number as parameters to calculate a 16-byte session ID with the same algorithm. The client uses the public key from the server and a random number generated locally as parameters to calculate a session key. Using the public key from the server, the client encrypts the random number generated locally for session key calculation and sends the result to the server. Using the local private key, the server decrypts the data sent by the client and obtains the random number generated by the client. Using the local public key and the random number sent by the client as parameters, the server calculates the session key with the same algorithm used by the client.

Thus, the server and the client obtain the same session key. During the session, both ends use the same session key to perform encryption and decryption, thereby guaranteeing the security of data transfer. 3)

Authentication mode negotiation The client sends its username information to the server. The server initiates a process to authenticate the user. If the user needs no authentication, the server proceeds to session request phase directly. The client adopts an authentication mode to authenticate the server till the authentication succeeds or the server tears down the connection because of timeout.

Note: SSH provides two authentication modes: password and RSA. 1) Password authentication procedure The client sends the username and password to the server. The server compares the received username and password with the local configuration. If it finds an exact match, the authentication succeeds. 2) RSA authentication procedure The server configures the RSA public key of the client. The client sends its RSA public key member modulo to the server. The server verifies the member modulo. If the member modulo is valid, the server generates a random number, encrypts it using the RSA public key from the client, and sends the encrypted information back to the client. The server and the client use the random number and the session ID as parameters to calculate authentication data. The client sends the authentication data it generated to the server. The server compares the received authentication data with that locally calculated. If they match, the authentication succeeds. 4) Session request: If the authentication succeeds, the client sends a session request to the server. When the server has successfully processed the request, SSH enters the interactive session phase. Interactive session: The client and the server exchange data till the session is over.

5)

Caution: If the router works as a SSH server, the client using SecureCRT and configured Enable OpenSSH agent forwarding cannot log onto the SSH server.

12.6.2 SSH Configuration

SSH configuration includes:

I. Configuring the SSH server

Set the protocols supported on the current user interface Create a local RSA key pair Configure authentication mode for SSH user Create SSH users Set an interval for updating the server key (optional) Set the timeout time of SSH authentication (optional) Set maximum number of SSH authentication retries Enter public key view Enter public key edit view Exit public key edit view Assign public key for SSH user Configure a service type for an SSH user Set SSH version compatibility (optional)

II. Configuring the SSH client

Enable the SSH client Configure public key to server associations Configure SSH server first-time authentication

12.6.3 Configuring the SSH Server

I. Setting the protocols supported on user interface
This configuration is used to specify the protocols supported by the system in user interface view. By default, the system supports Telnet and SSH. If SSH is enabled but the local RSA key is not configured, the user cannot login through SSH. The configuration will take effect in next login. Perform the following operation in User interface view of VTY type. Table 12-16 Set the protocols supported by system in user interface Operation Set the protocols supported by system in user interface Command protocol inbound { all | ssh | pad | }

Caution: If the protocol supported by the user interface is set to SSH, you must set the authentication mode to authentication-mode scheme to ensure a successful login; if you use authentication-mode password or authentication-mode none, the configuration of the protocol inbound ssh command fails. Likewise, an SSH-enabled user interface does not allow the configuration of authentication-mode password or authentication-mode none.

II. Creating/destroying a local RSA key pair

This configuration is used to generate the local server and host key pair. If there has been RSA now, the system will ask whether to replace the former key. The naming modes of generated key pairs go as follows respectively: router name +server and router name +host. The server key differs in 128 digits at least from host key. The minimum length of server and host key is 512 bits and the maximum length is 2048 bits. By default, the key length is 1024 digits. Perform the following operation in system view. Table 12-17 Configure and destroy a local RSA key pair Operation Create a local RSA key pair Destroy a local RSA key pair Command rsa local-key-pair create rsa local-key-pair destroy

Caution: The primary operation to accomplish SSH login is to configure and generate local RSA key pair. Before performing other SSH configurations, you must accomplish the configuration of the rsa local-key-pair create command to generate local key pair. It is unnecessary to execute this command again after the router restarts up. If the router works as a SSH2.0 server, the key pair you use the rsa local-key-pair create command to generate must be at least 768 bits; otherwise, the SSH2.0 client cannot log on successfully. For the RSA authentication to a SSH2.0 client, the key pair generated by the SSH2.0 client must be at least 768 bits as well.

III. Configuring an authentication mode for SSH users

This configuration is used to specify an authentication mode for SSH users. The newly configured authentication mode takes effect at next login. Perform the following configuration in system view. Table 12-18 Configure authentication mode for SSH user Operation Specify an authentication mode for an SSH user Restore the default, where login is always denied Specify a default authentication mode for SSH users Delete the specified default authentication mode for SSH users Command ssh user username authenticationtype { password | rsa | all } undo ssh user authentication-type username

ssh authentication-type default { password | rsa | all | passwordpublickey } undo ssh authentication-type default

The authentication mode specified using the ssh user username authenticationtype command is only for an SSH user while the one specified using the ssh authentication-type default command is the default authentication mode for all SSH users. For an SSH user, the authentication mode configured using the ssh user username authentication-type command is always preferred to the one configured using the ssh authentication-type default command.

 Note: If password authentication is adopted, the user name specified in the ssh user authenticationtype command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA.

IV. Creating SSH users

All SSH users need authentication. Before creating an SSH user with the ssh user command, you must specify a default authentication mode with the ssh authentication-type default command. Perform the following configuration in system view. Table 12-19 Create an SSH user Operation Create an SSH user Delete an SSH user Note: If password authentication is adopted, the user name specified in the ssh user command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA. If the default authentication mode for SSH users is password and local AAA authentication is adopted, you are not necessarily use the ssh user command to create an SSH user. Instead, you can use the local-user command to create a user name and its password and then specify the service type for the user to SSH. Command ssh user username undo ssh user username

V. Setting an interval for updating the server key

To ensure security of the connections to the SSH server, update its key regularly. Perform the following configuration in system view. Table 12-20 Set an interval for updating the SSH server key Operation Set an interval for updating the SSH server key Restore the default update interval Command ssh server rekey-interval hours undo ssh server rekey-interval

By default, the server key is not updated.

VI. Setting the timeout time of SSH authentication

This configuration is used to set the time-out time of SSH authentication. Perform the following configuration in system view. Table 12-21 Set the timeout time of SSH authentication Operation Set the timeout time of SSH authentication Command ssh server timeout seconds

Operation Restore the default time-out time of SSH authentication

Command undo ssh server timeout

By default, the time-out time is 60 seconds.

VII. Setting maximum number of SSH authentication retries

To prevent malicious behaviors such as malicious guess, limit the number of SSH authentication retries. Perform the following configuration in system view. Table 12-22 Set maximum number of SSH authentication retries Operation Set maximum number authentication retries of SSH ssh server times undo ssh retries Command authentication-retries server authentication-

Restore default maximum number of SSH authentication retries

Maximum number of SSH authentication retries defaults to 3. For password-public authentication, maximum number of SSH authentication retries must be greater than two, one of which is for sending the public key. Otherwise, the SSH client cannot log into the SSH server.

VIII. Configuring client public key

Two ways of configuring client public keys are available. 1) Manual configuration Enter public key view with the rsa peer-public-key command. With public-keycode begin and public-key-code end commands, you can input or copy client public key manually. Table 12-23 Configuring a client public key manually Operation At the SSH 1.0/2/0 client, generate a random RSA key pair Convert the public key part to PKCS code with software called SSHKEY.EXE Enter public key view (in system view) Enter public key edit view to copy the public key converted by SSHKEY.EXE (in public key view) Exit to public key view, with the public key being saved automatically (in public key edit view) rsa peer-public-key key-name Command

Configure the client public key on the router

public-key-code begin

public-key-code end

Operation Exit to system view (in public key view)

Command peer-public-key end

The client public key is a hexadecimal character string generated through PKCS coding of SSHKEY.EXE software. The following shows configuration details.
[Router] rsa peer-public-key quidway002 [Router-rsa-public-key] public-key-code begin [Router-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Router-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Router-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Router-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Router-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Router-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Router-rsa-key-code] public-key-code end [Router-rsa-public-key] peer-public-key end

2)

With the rsa peer-public-key key-name import sshkey filename command

Table 12-24 Configure a client public key with the rsa peer-public-key key-name import sshkey filename command Operation At the SSH 1.5/2.0 client, generate a random RSA key pair and save the key file Send the public key file to the Flash on the router through FTP/TFTP Perform public key format conversion and configuration Refer to section 5.2 System Management Overview and section 5.3 System Management Overview. rsa peer-public-key key-name import sshkey filename Command

Configure the client public key on the router

This way is more convenient and recommended. Note: The filename argument must take the name of the public key file saved on the Flash.

IX. Assigning an SSH user a public key

Perform the following configuration in system view to assign a public key to an SSH user. Table 12-25 Assign an SSH user a public key Operation Assign a public key to an SSH user Remove the association of a public key to an SSH user Command ssh user username assign rsa-key keyname undo ssh user username assign rsakey

X. Configuring a service type for an SSH user

Perform the following configuration in system view to configure a service type for an SSH user. Table 12-26 Configure a service type for an SSH user Operation Configure a service type for an SSH user Restore the default service type for an SSH user Command ssh user username service-type { stelnet | sftp | all } undo ssh user username service-type

The default service type for an SSH user is stelnet.

XI. Setting SSH version compatibility

Perform the following configuration in system view to enable/disable the SSH server to work with SSH1.X clients. Table 12-27 Enable/disable the SSH server to work with SSH1.X clients Operation Enable the SSH server to work with SSH1.X clients Disable the SSH server to work with SSH1.X clients Command ssh server compatible_ssh1x enable undo ssh server compatible_ssh1x

By default, the SSH server works with SSH1.X clients.

XII. Specifying a source interface/IP address for the SSH server

Perform the following configuration in system view. Table 12-28 Specify a source interface or source IP address for the SSH server Operation Specify a source interface for the SSH server Delete the source interface specified for the SSH server Specify a source IP address for the packets sent by the SSH server Delete the source IP address for the packets sent by the SSH server Command ssh-server source-interface interface-type interface-number undo ssh-server source-interface ssh-server source-ip ip-address undo ssh-server source-ip

By default, the source IP address in each packet sent by the SSH server is the IP address of the interface where the packet is sent out.

 Note: You may specify a source IP address for the packets sent by the Telnet server with the sshserver source-interface command or with the ssh-server source-ip command. If both commands are configured, the one configured later overrides the previous one.

12.6.4 Configuring the SSH Client

I. Enabling the SSH client
When enabling the SSH client to SSH to the server, you need to specify the preferred key exchange algorithm, encryption algorithm and HMAC algorithm between the client and the server. Perform the following configuration in system view. Table 12-29 Enable the SSH client Operation Command ssh2 { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des | aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]

Enable the SSH client

II. Configuring public key to server associations

You need to associate an SSH server with the name assigned to its public key. When connecting to this server, the client verifies its trustworthiness based on this association. Perform the following configuration in system view. Table 12-30 Associate an SSH server with a public key Operation Associate an SSH server with its public key Remove an SSH server to public key association Command ssh client server assign rsa-key keyname undo ssh client server assign rsa-key keyname

III. Configuring SSH server first-time authentication

The configuration of first-time authentication decides the action taken by the SSH client when it accesses a server in the absence of the servers public key:

With first-time authentication enabled, the SSH client can attempt to access the server and get the servers public key through negotiation. Then this public key could be saved on the client for next access. With first-time authentication disabled, the SSH client rejects to access a server. To access the server, you must save its public key on the SSH client beforehand.

Perform the following configuration in system view.

Table 12-31 Configure first-time authentication Operation Enable SSH server first-time authentication Disable SSH server first-time authentication Command ssh client first-time enable undo ssh client first-time

By default, first-time authentication is enabled on the SSH client.

IV. Specifying a source interface/IP address for the SSH client

Perform the following configuration in system view. Table 12-32 Specify a source interface or source IP address for the SSH client Operation Specify a source interface for the SSH client server Delete the source interface specified for the SSH client Specify a source IP address for the packets sent by the SSH client Delete the source IP address for the packets sent by the SSH client Command ssh2 source-interface interface-type interface-number undo ssh2 source-interface ssh2 source-ip ip-address undo ssh2 source-ip

By default, the source IP address in each packet sent by the SSH client is the IP address of the interface where the packet is sent out. Note: You may specify a source IP address for the packets sent by the Telnet server with the ssh2 source-interface command or with the ssh2 source-ip command. If both commands are configured, the one configured later overrides the previous one.

12.6.5 Displaying and Debugging

After the above configuration, execute display command in any view to display the running of the SSH configuration, and to verify the configuration. The task of displaying and debugging SSH is used to view the configuration of various SSH users to utilize the system resource better and accomplish the secure information connection. Table 12-33 View relevant information about SSH Operation View the pubic key of host and server key pair Display the RSA public key of client Display SSH status information and session information Command display rsa local-key-pair public display rsa peer-public-key [ brief | name keyname ] display ssh server { status | session }

Operation Display SSH user information Display the current source IP address setting of the SSH server Display the current source IP address setting of the SSH client

Command display ssh username ] user-information [

display ssh-server source-ip display ssh2 source-ip

Executing the debugging command in user view. Table 12-34 Debug information on SSH Operation Enable SSH sever debugging Disable SSH server debugging Enable SSH client debugging Disable SSH client debugging Enable RSA debugging Disable RSA debugging Command debugging ssh server { vty index | all } undo debugging ssh server { vty index | all } debugging ssh client undo debugging ssh client debugging rsa undo debugging rsa

12.6.6 SSH Configuration Example

I. Network requirements
As shown in Figure 12-11, the console terminal (the SSH client) is directly connected to the router through an Ethernet interface. Run SSH2.0 client software on the terminal for securely logging onto the router for configuration and management. The username of the SSH client is client001@169.254.0.1 and the password is huawei.

II. Network diagram

Figure 12-11 Network diagram for SSH server configuration

III. Configuration procedure

1) Configure the SSH server (the router) Configuration procedure varies with login authentication mode. However, all procedures must start with creating local RSA key pairs using the following command:
[Router] rsa local-key-pair create

 Note: If local key pairs exist, skip this step.

Set the authentication method for the SSH user to password.

[Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit [Router] local-user client001 [Router-luser-client001] password simple huawei [Router-luser-client001] service-type ssh [Router-luser-client001] quit [Router] ssh user client001 authentication-type password [Router] domain 169.254.0.1 [Router-isp-169.254.0.1] scheme local [Router-isp-169.254.0.1] quit

The default value for authentication time-out time, retry times and update time of server key of SSH can be adopted. After these configurations, you can run SSH2.0 on a terminal connected to the router. Then, you can access the router with username client001 and password huawei.

Set the authentication method for SSH user to RSA.

[Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit [Router] ssh user client002 authentication-type RSA

Then, use the SSH2.0 client software to randomly generate the RSA key pairs (including public and private keys) and synchronize the public key to the specified rsa peer-public-key on the SSH server. The RSA public key discussed here is a hexadecimal string coded using the software SSHKEY.EXE provided by our company according to the PKCS standard.
[Router] rsa peer-public-key quidway002 [Router-rsa-public] public-key-code begin [Router-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Router-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Router-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Router-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Router-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Router-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Router-key-code] public-key-code end [Router-rsa-public] public-key-code end [Router] ssh user client002 assign rsa-key quidway002

2)

Configure the SSH client When password authentication applies, you need to configure at the client the IP address of a reachable interface on the SSH server or the router, 169.254.0.1 in this example, set the protocol type to SSH, use SSH version 2. After opening the SSH connection, enter the user name and password to access the router configuration interface.

login as: client001 Sent username "client001" client001@169.254.0.1's password: ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>

When RSA authentication applies, you must specify an RSA private key file, which is generated randomly by the client software in addition to the configuration tasks done with password authentication. After opening the SSH connection, enter the user name to access the router configuration interface.

login as: client002 Sent username "client002" Trying public key authentication. No passphrase required. ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>

Caution: To set up an SSH connection, make sure that the user name provided at login must be the same as the one configured on the router with the ssh user username command.

12.6.7 SSH Client Configuration Example

I. Network requirements
Router B is working as the SSH client with user name client003. Router A is working as the SSH server with IP address 10.165.87.136.

II. Network diagram

Figure 12-12 Network diagram for SSH client configuration

III. Configuration procedure

1) Configure the SSH server (Router A) SSH Configuration Refer to the configuration procedure in section 12.6.6 Example. 2) Configure the SSH client (Router B)

# Enable SSH server first-time authentication.

[Router] ssh client first-time enable

# Enable the SSH client. The configuration varies depending on the adopted authentication mode.

When password authentication and the default algorithms are adopted, do the following:

[Router] ssh2 10.165.87.136 Please input the username: client003 Trying 10.165.87.136 Press CTRL+K to abort Connected to 10.165.87.136... The Server is not authenticated.Do you continue access it?(Y/N):y Do you want to save the server's public key?(Y/N):y Enter password: ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>

When RSA authentication is adopted, do the following:

[Router] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_stoc_cipher 3des perfer_ctos_hmac md5 perfer_stoc_hmac md5 Please input the username: client003 Trying 10.165.87.136... Press CTRL+K to abort Connected to 10.165.87.136... The Server is not authenticated.Do you continue access it?(Y/N):y Do you want to save the server's public key?(Y/N):y ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>