diff options
Diffstat (limited to 'docs/services/ssh.rst')
-rw-r--r-- | docs/services/ssh.rst | 185 |
1 files changed, 94 insertions, 91 deletions
diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst index 3af71899..9a1418d3 100644 --- a/docs/services/ssh.rst +++ b/docs/services/ssh.rst @@ -1,9 +1,12 @@ +.. _ssh: + +### SSH ---- +### -Secure Shell (SSH_) is a cryptographic network protocol for operating network -services securely over an unsecured network.[1] The standard TCP port for SSH -is 22. The best known example application is for remote login to computer +:abbr:`SSH (Secure Shell)` is a cryptographic network protocol for operating +network services securely over an unsecured network. The standard TCP port for +SSH is 22. The best known example application is for remote login to computer systems by users. SSH provides a secure channel over an unsecured network in a client-server @@ -25,126 +28,126 @@ analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet. Configuration -^^^^^^^^^^^^^ - -Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is -the port you want SSH to listen on. By default, SSH runs on port 22. - -.. code-block:: none - - set service ssh port 22 +============= -Options -******* +.. cfgcmd:: set service ssh port '<number>' -* Listening address - Specify the IPv4/IPv6 listening address for connection - requests. Multiple ``listen-address`` nodes can be defined. +Enabling SSH only requires you to specify the port ``<number>`` you want SSH to +listen on. By default, SSH runs on port 22. - :code:`set service ssh listen-address <address>` +.. cfgcmd:: set service ssh listen-address '<address>' -* Allow ``root`` login, this can be set to allow ``root`` logins on SSH - connections, however it is not advisable to use this setting as this bears - serious security risks. The default system user possesses all required - privileges. +Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be +defined. - :code:`set service ssh allow-root` +.. cfgcmd:: set service ssh ciphers '<cipher>' -* Allowed ciphers - A number of allowed ciphers can be specified, use multiple - occurrences to allow multiple ciphers. +Define allowed ciphers used for the SSH connection. A number of allowed ciphers +can be specified, use multiple occurrences to allow multiple ciphers. - :code:`set service ssh ciphers <cipher>` +* ``3des-cbc`` +* ``aes128-cbc`` +* ``aes192-cbc`` +* ``aes256-cbc`` +* ``aes128-ctr`` +* ``aes192-ctr`` +* ``aes256-ctr`` +* ``arcfour128`` +* ``arcfour256`` +* ``arcfour`` +* ``blowfish-cbc`` +* ``cast128-cbc`` - Available ciphers: +This could be used to harden security. - * `3des-cbc` - * `aes128-cbc` - * `aes192-cbc` - * `aes256-cbc` - * `aes128-ctr` - * `aes192-ctr` - * `aes256-ctr` - * `arcfour128` - * `arcfour256` - * `arcfour` - * `blowfish-cbc` - * `cast128-cbc` +.. cfgcmd:: set service ssh disable-password-authentication -* Disable password authentication - If SSH key authentication is set up, - password-based user authentication can be disabled. This hardens security! +Disable password based authentication. Login via SSH keys only. This hardens +security! - :code:`set service ssh disable-password-authentication` -* Disable host validation - Disable the host validation through reverse DNS - lookups. +.. cfgcmd: set service ssh disable-host-validation - :code:`set service ssh disable-host-validation` +Disable the host validation through reverse DNS lookups - can speedup login +time when reverse lookup is not possible. -* MAC algorithms - Specifies the available MAC (message authentication code) - algorithms. The MAC algorithm is used in protocol version 2 for data - integrity protection. Multiple algorithms can be entered. +.. cfgcmd:: set service ssh macs '<mac>' - :code:`set service ssh macs <macs>` +Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms. +The MAC algorithm is used in protocol version 2 for data integrity protection. +Multiple algorithms can be provided. Supported MACs: - Supported MACs: +* ``hmac-md5`` +* ``hmac-md5-96`` +* ``hmac-ripemd160`` +* ``hmac-sha1`` +* ``hmac-sha1-96`` +* ``hmac-sha2-256`` +* ``hmac-sha2-512`` +* ``umac-64@openssh.com`` +* ``umac-128@openssh.com`` +* ``hmac-md5-etm@openssh.com`` +* ``hmac-md5-96-etm@openssh.com`` +* ``hmac-ripemd160-etm@openssh.com`` +* ``hmac-sha1-etm@openssh.com`` +* ``hmac-sha1-96-etm@openssh.com`` +* ``hmac-sha2-256-etm@openssh.com`` +* ``hmac-sha2-512-etm@openssh.com`` +* ``umac-64-etm@openssh.com`` +* ``umac-128-etm@openssh.com`` - * `hmac-md5` - * `hmac-md5-96` - * `hmac-ripemd160` - * `hmac-sha1` - * `hmac-sha1-96` - * `hmac-sha2-256` - * `hmac-sha2-512` - * `umac-64@openssh.com` - * `umac-128@openssh.com` - * `hmac-md5-etm@openssh.com` - * `hmac-md5-96-etm@openssh.com` - * `hmac-ripemd160-etm@openssh.com` - * `hmac-sha1-etm@openssh.com` - * `hmac-sha1-96-etm@openssh.com` - * `hmac-sha2-256-etm@openssh.com` - * `hmac-sha2-512-etm@openssh.com` - * `umac-64-etm@openssh.com` - * `umac-128-etm@openssh.com` +This could be used to harden security. +.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due + to tighter security in VyOS 1.2. -Key Authentication -################## +Key Based Authentication +======================== It is highly recommended to use SSH Key authentication. By default there is only one user (``vyos``), and you can assign any number of keys to that user. You can generate a ssh key with the ``ssh-keygen`` command on your local -machine, which will (by default) save it as ``~/.ssh/id_rsa.pub`` which is in -three parts: +machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``. - ``ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...VByBD5lKwEWB username@host.example.com`` +Every SSH key comes in three parts: -Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that -the key will usually be several hundred characters long, and you will need to -copy and paste it. Some terminal emulators may accidentally split this over -several lines. Be attentive when you paste it that it only pastes as a single -line. The third part is simply an identifier, and is for your own reference. +``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com`` +Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the +key will usually be several hundred characters long, and you will need to copy +and paste it. Some terminal emulators may accidentally split this over several +lines. Be attentive when you paste it that it only pastes as a single line. +The third part is simply an identifier, and is for your own reference. -**Assign SSH Key to user** +.. cfgcmd:: set system login user '<username>' authentication public-keys '<identifier>' key '<key>' -Under the user (in this example, ``vyos``), add the public key and the type. -The `identifier` is simply a string that is relevant to you. +Assign the SSH public key portion `<key>` identified by per-key `<identifier>` +to the local user `<username>`. -.. code-block:: none +.. cfgcmd:: set system login user '<username>' authentication public-keys '<identifier>' type '<type>' - set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...." - set system login user vyos authentication public-keys 'identifier' type ssh-rsa" +Every SSH public key portion referenced by `<identifier>` requires the +configuration of the `<type>` of public-key used. This type can be any of: -You can assign multiple keys to the same user by changing the identifier. In -the following example, both Unicron and xrobau will be able to SSH into VyOS -as the ``vyos`` user using their own keys. +* ``ecdsa-sha2-nistp256`` +* ``ecdsa-sha2-nistp384`` +* ``ecdsa-sha2-nistp521`` +* ``ssh-dss`` +* ``ssh-ed25519`` +* ``ssh-rsa`` -.. code-block:: none +.. note:: You can assign multiple keys to the same user by using a unique + identifier per SSH key. - set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...." - set system login user vyos authentication public-keys 'Unicron' type ssh-rsa - set system login user vyos authentication public-keys 'xrobau' key "AAAAQ39x...." - set system login user vyos authentication public-keys 'xrobau' type ssh-rsa +Example +------- +In the following example, both User1 and User2 will be able to SSH into VyOS +as the ``vyos`` user using their own keys. +.. code-block:: none + set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW" + set system login user vyos authentication public-keys 'User1' type ssh-rsa + set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3" + set system login user vyos authentication public-keys 'User2' type ssh-rsa |