Documente Academic
Documente Profesional
Documente Cultură
6 SSH Configuration
12.6.1 Introduction to SSH
When routers are connected by remote users across insecure networks, secure shell (SSH) can provide them authentication and security fencing off IP spoofing, plain-text password interception and other attacks. Your router can work as an SSH server or/and an SSH client. As an SSH server, it may accept connections from multiple SSH clients; as an SSH client, it can establish SSH connections with the routers and UNIX hosts working as SSH servers. Currently, SSH 2.0 is supported. Figure 12-9 and Figure 12-10 illustrate two methods for establishing an SSH channel between a client and a server:
Figure 12-10 Establish an SSH channel through a WAN To establish an SSH connection, the server and the client must go through the following five phases: 1) Version number negotiation
2)
The client starts a TCP connection to the server. After the TCP connection is established, the server and the client negotiate a version number. If the negotiation succeeds, the key algorithm negotiation phase starts; otherwise, the server tears down the TCP connection. Key algorithm negotiation The server generates an RSA key pair and an 8-byte random number, and sends the portion of the public key and the random number to the client. Both the server and the client use the public key of the server and the 8-byte number as parameters to calculate a 16-byte session ID with the same algorithm. The client uses the public key from the server and a random number generated locally as parameters to calculate a session key. Using the public key from the server, the client encrypts the random number generated locally for session key calculation and sends the result to the server. Using the local private key, the server decrypts the data sent by the client and obtains the random number generated by the client. Using the local public key and the random number sent by the client as parameters, the server calculates the session key with the same algorithm used by the client.
Thus, the server and the client obtain the same session key. During the session, both ends use the same session key to perform encryption and decryption, thereby guaranteeing the security of data transfer. 3)
Authentication mode negotiation The client sends its username information to the server. The server initiates a process to authenticate the user. If the user needs no authentication, the server proceeds to session request phase directly. The client adopts an authentication mode to authenticate the server till the authentication succeeds or the server tears down the connection because of timeout.
Note: SSH provides two authentication modes: password and RSA. 1) Password authentication procedure The client sends the username and password to the server. The server compares the received username and password with the local configuration. If it finds an exact match, the authentication succeeds. 2) RSA authentication procedure The server configures the RSA public key of the client. The client sends its RSA public key member modulo to the server. The server verifies the member modulo. If the member modulo is valid, the server generates a random number, encrypts it using the RSA public key from the client, and sends the encrypted information back to the client. The server and the client use the random number and the session ID as parameters to calculate authentication data. The client sends the authentication data it generated to the server. The server compares the received authentication data with that locally calculated. If they match, the authentication succeeds. 4) Session request: If the authentication succeeds, the client sends a session request to the server. When the server has successfully processed the request, SSH enters the interactive session phase. Interactive session: The client and the server exchange data till the session is over.
5)
Caution: If the router works as a SSH server, the client using SecureCRT and configured Enable OpenSSH agent forwarding cannot log onto the SSH server.
Set the protocols supported on the current user interface Create a local RSA key pair Configure authentication mode for SSH user Create SSH users Set an interval for updating the server key (optional) Set the timeout time of SSH authentication (optional) Set maximum number of SSH authentication retries Enter public key view Enter public key edit view Exit public key edit view Assign public key for SSH user Configure a service type for an SSH user Set SSH version compatibility (optional)
Enable the SSH client Configure public key to server associations Configure SSH server first-time authentication
Caution: If the protocol supported by the user interface is set to SSH, you must set the authentication mode to authentication-mode scheme to ensure a successful login; if you use authentication-mode password or authentication-mode none, the configuration of the protocol inbound ssh command fails. Likewise, an SSH-enabled user interface does not allow the configuration of authentication-mode password or authentication-mode none.
Caution: The primary operation to accomplish SSH login is to configure and generate local RSA key pair. Before performing other SSH configurations, you must accomplish the configuration of the rsa local-key-pair create command to generate local key pair. It is unnecessary to execute this command again after the router restarts up. If the router works as a SSH2.0 server, the key pair you use the rsa local-key-pair create command to generate must be at least 768 bits; otherwise, the SSH2.0 client cannot log on successfully. For the RSA authentication to a SSH2.0 client, the key pair generated by the SSH2.0 client must be at least 768 bits as well.
ssh authentication-type default { password | rsa | all | passwordpublickey } undo ssh authentication-type default
The authentication mode specified using the ssh user username authenticationtype command is only for an SSH user while the one specified using the ssh authentication-type default command is the default authentication mode for all SSH users. For an SSH user, the authentication mode configured using the ssh user username authentication-type command is always preferred to the one configured using the ssh authentication-type default command.
Note: If password authentication is adopted, the user name specified in the ssh user authenticationtype command must be consistent with the user name defined in AAA. If RSA authentication is adopted, the value of this argument is a local SSH user name and needs not to be defined in AAA.
Maximum number of SSH authentication retries defaults to 3. For password-public authentication, maximum number of SSH authentication retries must be greater than two, one of which is for sending the public key. Otherwise, the SSH client cannot log into the SSH server.
public-key-code begin
public-key-code end
The client public key is a hexadecimal character string generated through PKCS coding of SSHKEY.EXE software. The following shows configuration details.
[Router] rsa peer-public-key quidway002 [Router-rsa-public-key] public-key-code begin [Router-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Router-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Router-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Router-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Router-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Router-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Router-rsa-key-code] public-key-code end [Router-rsa-public-key] peer-public-key end
2)
Table 12-24 Configure a client public key with the rsa peer-public-key key-name import sshkey filename command Operation At the SSH 1.5/2.0 client, generate a random RSA key pair and save the key file Send the public key file to the Flash on the router through FTP/TFTP Perform public key format conversion and configuration Refer to section 5.2 System Management Overview and section 5.3 System Management Overview. rsa peer-public-key key-name import sshkey filename Command
This way is more convenient and recommended. Note: The filename argument must take the name of the public key file saved on the Flash.
By default, the source IP address in each packet sent by the SSH server is the IP address of the interface where the packet is sent out.
Note: You may specify a source IP address for the packets sent by the Telnet server with the sshserver source-interface command or with the ssh-server source-ip command. If both commands are configured, the one configured later overrides the previous one.
With first-time authentication enabled, the SSH client can attempt to access the server and get the servers public key through negotiation. Then this public key could be saved on the client for next access. With first-time authentication disabled, the SSH client rejects to access a server. To access the server, you must save its public key on the SSH client beforehand.
Table 12-31 Configure first-time authentication Operation Enable SSH server first-time authentication Disable SSH server first-time authentication Command ssh client first-time enable undo ssh client first-time
By default, the source IP address in each packet sent by the SSH client is the IP address of the interface where the packet is sent out. Note: You may specify a source IP address for the packets sent by the Telnet server with the ssh2 source-interface command or with the ssh2 source-ip command. If both commands are configured, the one configured later overrides the previous one.
Operation Display SSH user information Display the current source IP address setting of the SSH server Display the current source IP address setting of the SSH client
Executing the debugging command in user view. Table 12-34 Debug information on SSH Operation Enable SSH sever debugging Disable SSH server debugging Enable SSH client debugging Disable SSH client debugging Enable RSA debugging Disable RSA debugging Command debugging ssh server { vty index | all } undo debugging ssh server { vty index | all } debugging ssh client undo debugging ssh client debugging rsa undo debugging rsa
[Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit [Router] local-user client001 [Router-luser-client001] password simple huawei [Router-luser-client001] service-type ssh [Router-luser-client001] quit [Router] ssh user client001 authentication-type password [Router] domain 169.254.0.1 [Router-isp-169.254.0.1] scheme local [Router-isp-169.254.0.1] quit
The default value for authentication time-out time, retry times and update time of server key of SSH can be adopted. After these configurations, you can run SSH2.0 on a terminal connected to the router. Then, you can access the router with username client001 and password huawei.
[Router] user-interface vty 0 4 [Router-ui-vty0-4] authentication-mode scheme [Router-ui-vty0-4] protocol inbound ssh [Router-ui-vty0-4] quit [Router] ssh user client002 authentication-type RSA
Then, use the SSH2.0 client software to randomly generate the RSA key pairs (including public and private keys) and synchronize the public key to the specified rsa peer-public-key on the SSH server. The RSA public key discussed here is a hexadecimal string coded using the software SSHKEY.EXE provided by our company according to the PKCS standard.
[Router] rsa peer-public-key quidway002 [Router-rsa-public] public-key-code begin [Router-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [Router-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [Router-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [Router-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [Router-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [Router-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [Router-key-code] public-key-code end [Router-rsa-public] public-key-code end [Router] ssh user client002 assign rsa-key quidway002
2)
Configure the SSH client When password authentication applies, you need to configure at the client the IP address of a reachable interface on the SSH server or the router, 169.254.0.1 in this example, set the protocol type to SSH, use SSH version 2. After opening the SSH connection, enter the user name and password to access the router configuration interface.
login as: client001 Sent username "client001" client001@169.254.0.1's password: ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>
When RSA authentication applies, you must specify an RSA private key file, which is generated randomly by the client software in addition to the configuration tasks done with password authentication. After opening the SSH connection, enter the user name to access the router configuration interface.
login as: client002 Sent username "client002" Trying public key authentication. No passphrase required. ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>
Caution: To set up an SSH connection, make sure that the user name provided at login must be the same as the one configured on the router with the ssh user username command.
# Enable the SSH client. The configuration varies depending on the adopted authentication mode.
When password authentication and the default algorithms are adopted, do the following:
[Router] ssh2 10.165.87.136 Please input the username: client003 Trying 10.165.87.136 Press CTRL+K to abort Connected to 10.165.87.136... The Server is not authenticated.Do you continue access it?(Y/N):y Do you want to save the server's public key?(Y/N):y Enter password: ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>
[Router] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_stoc_cipher 3des perfer_ctos_hmac md5 perfer_stoc_hmac md5 Please input the username: client003 Trying 10.165.87.136... Press CTRL+K to abort Connected to 10.165.87.136... The Server is not authenticated.Do you continue access it?(Y/N):y Do you want to save the server's public key?(Y/N):y ************************************************************************ ** * Copyright(c) 1998-2006 Huawei Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************ ** <Router>