summaryrefslogtreecommitdiff
path: root/docs/services/ssh.rst
diff options
context:
space:
mode:
authorrebortg <github@ghlr.de>2020-11-30 20:53:36 +0100
committerrebortg <github@ghlr.de>2020-11-30 20:53:36 +0100
commit8943fc9f877cbee3301a8261ddd27b4b1f15f174 (patch)
treebb09c5f41a7683dc361517c2bde346eea36cda24 /docs/services/ssh.rst
parente33e1268f944be445b5a771df0e97e913487512f (diff)
downloadvyos-documentation-8943fc9f877cbee3301a8261ddd27b4b1f15f174.tar.gz
vyos-documentation-8943fc9f877cbee3301a8261ddd27b4b1f15f174.zip
arrange services and protocols
Diffstat (limited to 'docs/services/ssh.rst')
-rw-r--r--docs/services/ssh.rst106
1 files changed, 0 insertions, 106 deletions
diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst
deleted file mode 100644
index 6da8560f..00000000
--- a/docs/services/ssh.rst
+++ /dev/null
@@ -1,106 +0,0 @@
-.. _ssh:
-
-###
-SSH
-###
-
-:abbr:`SSH (Secure Shell)` is a cryptographic network protocol for operating
-network services securely over an unsecured network. The standard TCP port for
-SSH is 22. The best known example application is for remote login to computer
-systems by users.
-
-SSH provides a secure channel over an unsecured network in a client-server
-architecture, connecting an SSH client application with an SSH server. Common
-applications include remote command-line login and remote command execution,
-but any network service can be secured with SSH. The protocol specification
-distinguishes between two major versions, referred to as SSH-1 and SSH-2.
-
-The most visible application of the protocol is for access to shell accounts
-on Unix-like operating systems, but it sees some limited use on Windows as
-well. In 2015, Microsoft announced that they would include native support for
-SSH in a future release.
-
-SSH was designed as a replacement for Telnet and for unsecured remote shell
-protocols such as the Berkeley rlogin, rsh, and rexec protocols.
-Those protocols send information, notably passwords, in plaintext,
-rendering them susceptible to interception and disclosure using packet
-analysis. The encryption used by SSH is intended to provide confidentiality
-and integrity of data over an unsecured network, such as the Internet.
-
-Configuration
-=============
-
-.. cfgcmd:: set service ssh port <port>
-
-Enabling SSH only requires you to specify the port ``<port>`` you want SSH to
-listen on. By default, SSH runs on port 22.
-
-.. cfgcmd:: set service ssh listen-address <address>
-
-Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be
-defined.
-
-.. cfgcmd:: set service ssh ciphers <cipher>
-
-Define allowed ciphers used for the SSH connection. A number of allowed ciphers
-can be specified, use multiple occurrences to allow multiple ciphers. You can
-choose from the following ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``,
-``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``,
-``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``
-
-.. cfgcmd:: set service ssh disable-password-authentication
-
-Disable password based authentication. Login via SSH keys only. This hardens
-security!
-
-.. cfgcmd:: set service ssh disable-host-validation
-
-Disable the host validation through reverse DNS lookups - can speedup login
-time when reverse lookup is not possible.
-
-.. cfgcmd:: set service ssh macs <mac>
-
-Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms.
-The MAC algorithm is used in protocol version 2 for data integrity protection.
-Multiple algorithms can be provided. Supported MACs: ``hmac-md5``,
-``hmac-md5-96``, ``hmac-ripemd160``, ``hmac-sha1``, ``hmac-sha1-96``,
-``hmac-sha2-256``, ``hmac-sha2-512``, ``umac-64@openssh.com``,
-``umac-128@openssh.com``, ``hmac-md5-etm@openssh.com``,
-``hmac-md5-96-etm@openssh.com``, ``hmac-ripemd160-etm@openssh.com``,
-``hmac-sha1-etm@openssh.com``, ``hmac-sha1-96-etm@openssh.com``,
-``hmac-sha2-256-etm@openssh.com``, ``hmac-sha2-512-etm@openssh.com``,
-``umac-64-etm@openssh.com``, ``umac-128-etm@openssh.com``
-
-.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due
- to tighter security in VyOS 1.2.
-
-.. cfgcmd:: set service ssh access-control <allow | deny> <group | user> <name>
-
-Add access-control directive to allow or deny users and groups. Directives are
-processed in the following order of precedence: ``deny-users``, ``allow-users``,
-``deny-groups`` and ``allow-groups``.
-
-.. cfgcmd:: set service ssh client-keepalive-interval <interval>
-
-Specify timeout interval for keepalive message in seconds.
-
-.. cfgcmd:: set service ssh key-exchange <kex>
-
-Specify allowed :abbr:`KEX (Key Exchange)` algorithms.
-Supported algorithms: ``diffie-hellman-group1-sha1``,
-``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``,
-``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``,
-``diffie-hellman-group-exchange-sha1``,
-``diffie-hellman-group-exchange-sha256``, ``ecdh-sha2-nistp256``,
-``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``, ``curve25519-sha256`` and
-``curve25519-sha256@libssh.org``.
-
-.. cfgcmd:: set service ssh loglevel <quiet | fatal | error | info | verbose>
-
-Set the ``sshd`` log level. The default is ``info``.
-
-.. cfgcmd:: set service ssh vrf <name>
-
-Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.
-
-.. seealso:: SSH :ref:`ssh_key_based_authentication`