summaryrefslogtreecommitdiff
path: root/docs/services/ssh.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/services/ssh.rst')
-rw-r--r--docs/services/ssh.rst185
1 files changed, 94 insertions, 91 deletions
diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst
index 3af71899..9a1418d3 100644
--- a/docs/services/ssh.rst
+++ b/docs/services/ssh.rst
@@ -1,9 +1,12 @@
+.. _ssh:
+
+###
SSH
----
+###
-Secure Shell (SSH_) is a cryptographic network protocol for operating network
-services securely over an unsecured network.[1] The standard TCP port for SSH
-is 22. The best known example application is for remote login to computer
+:abbr:`SSH (Secure Shell)` is a cryptographic network protocol for operating
+network services securely over an unsecured network. The standard TCP port for
+SSH is 22. The best known example application is for remote login to computer
systems by users.
SSH provides a secure channel over an unsecured network in a client-server
@@ -25,126 +28,126 @@ analysis. The encryption used by SSH is intended to provide confidentiality
and integrity of data over an unsecured network, such as the Internet.
Configuration
-^^^^^^^^^^^^^
-
-Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is
-the port you want SSH to listen on. By default, SSH runs on port 22.
-
-.. code-block:: none
-
- set service ssh port 22
+=============
-Options
-*******
+.. cfgcmd:: set service ssh port '<number>'
-* Listening address - Specify the IPv4/IPv6 listening address for connection
- requests. Multiple ``listen-address`` nodes can be defined.
+Enabling SSH only requires you to specify the port ``<number>`` you want SSH to
+listen on. By default, SSH runs on port 22.
- :code:`set service ssh listen-address <address>`
+.. cfgcmd:: set service ssh listen-address '<address>'
-* Allow ``root`` login, this can be set to allow ``root`` logins on SSH
- connections, however it is not advisable to use this setting as this bears
- serious security risks. The default system user possesses all required
- privileges.
+Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be
+defined.
- :code:`set service ssh allow-root`
+.. cfgcmd:: set service ssh ciphers '<cipher>'
-* Allowed ciphers - A number of allowed ciphers can be specified, use multiple
- occurrences to allow multiple ciphers.
+Define allowed ciphers used for the SSH connection. A number of allowed ciphers
+can be specified, use multiple occurrences to allow multiple ciphers.
- :code:`set service ssh ciphers <cipher>`
+* ``3des-cbc``
+* ``aes128-cbc``
+* ``aes192-cbc``
+* ``aes256-cbc``
+* ``aes128-ctr``
+* ``aes192-ctr``
+* ``aes256-ctr``
+* ``arcfour128``
+* ``arcfour256``
+* ``arcfour``
+* ``blowfish-cbc``
+* ``cast128-cbc``
- Available ciphers:
+This could be used to harden security.
- * `3des-cbc`
- * `aes128-cbc`
- * `aes192-cbc`
- * `aes256-cbc`
- * `aes128-ctr`
- * `aes192-ctr`
- * `aes256-ctr`
- * `arcfour128`
- * `arcfour256`
- * `arcfour`
- * `blowfish-cbc`
- * `cast128-cbc`
+.. cfgcmd:: set service ssh disable-password-authentication
-* Disable password authentication - If SSH key authentication is set up,
- password-based user authentication can be disabled. This hardens security!
+Disable password based authentication. Login via SSH keys only. This hardens
+security!
- :code:`set service ssh disable-password-authentication`
-* Disable host validation - Disable the host validation through reverse DNS
- lookups.
+.. cfgcmd: set service ssh disable-host-validation
- :code:`set service ssh disable-host-validation`
+Disable the host validation through reverse DNS lookups - can speedup login
+time when reverse lookup is not possible.
-* MAC algorithms - Specifies the available MAC (message authentication code)
- algorithms. The MAC algorithm is used in protocol version 2 for data
- integrity protection. Multiple algorithms can be entered.
+.. cfgcmd:: set service ssh macs '<mac>'
- :code:`set service ssh macs <macs>`
+Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms.
+The MAC algorithm is used in protocol version 2 for data integrity protection.
+Multiple algorithms can be provided. Supported MACs:
- Supported MACs:
+* ``hmac-md5``
+* ``hmac-md5-96``
+* ``hmac-ripemd160``
+* ``hmac-sha1``
+* ``hmac-sha1-96``
+* ``hmac-sha2-256``
+* ``hmac-sha2-512``
+* ``umac-64@openssh.com``
+* ``umac-128@openssh.com``
+* ``hmac-md5-etm@openssh.com``
+* ``hmac-md5-96-etm@openssh.com``
+* ``hmac-ripemd160-etm@openssh.com``
+* ``hmac-sha1-etm@openssh.com``
+* ``hmac-sha1-96-etm@openssh.com``
+* ``hmac-sha2-256-etm@openssh.com``
+* ``hmac-sha2-512-etm@openssh.com``
+* ``umac-64-etm@openssh.com``
+* ``umac-128-etm@openssh.com``
- * `hmac-md5`
- * `hmac-md5-96`
- * `hmac-ripemd160`
- * `hmac-sha1`
- * `hmac-sha1-96`
- * `hmac-sha2-256`
- * `hmac-sha2-512`
- * `umac-64@openssh.com`
- * `umac-128@openssh.com`
- * `hmac-md5-etm@openssh.com`
- * `hmac-md5-96-etm@openssh.com`
- * `hmac-ripemd160-etm@openssh.com`
- * `hmac-sha1-etm@openssh.com`
- * `hmac-sha1-96-etm@openssh.com`
- * `hmac-sha2-256-etm@openssh.com`
- * `hmac-sha2-512-etm@openssh.com`
- * `umac-64-etm@openssh.com`
- * `umac-128-etm@openssh.com`
+This could be used to harden security.
+.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due
+ to tighter security in VyOS 1.2.
-Key Authentication
-##################
+Key Based Authentication
+========================
It is highly recommended to use SSH Key authentication. By default there is
only one user (``vyos``), and you can assign any number of keys to that user.
You can generate a ssh key with the ``ssh-keygen`` command on your local
-machine, which will (by default) save it as ``~/.ssh/id_rsa.pub`` which is in
-three parts:
+machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``.
- ``ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...VByBD5lKwEWB username@host.example.com``
+Every SSH key comes in three parts:
-Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that
-the key will usually be several hundred characters long, and you will need to
-copy and paste it. Some terminal emulators may accidentally split this over
-several lines. Be attentive when you paste it that it only pastes as a single
-line. The third part is simply an identifier, and is for your own reference.
+``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com``
+Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the
+key will usually be several hundred characters long, and you will need to copy
+and paste it. Some terminal emulators may accidentally split this over several
+lines. Be attentive when you paste it that it only pastes as a single line.
+The third part is simply an identifier, and is for your own reference.
-**Assign SSH Key to user**
+.. cfgcmd:: set system login user '<username>' authentication public-keys '<identifier>' key '<key>'
-Under the user (in this example, ``vyos``), add the public key and the type.
-The `identifier` is simply a string that is relevant to you.
+Assign the SSH public key portion `<key>` identified by per-key `<identifier>`
+to the local user `<username>`.
-.. code-block:: none
+.. cfgcmd:: set system login user '<username>' authentication public-keys '<identifier>' type '<type>'
- set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...."
- set system login user vyos authentication public-keys 'identifier' type ssh-rsa"
+Every SSH public key portion referenced by `<identifier>` requires the
+configuration of the `<type>` of public-key used. This type can be any of:
-You can assign multiple keys to the same user by changing the identifier. In
-the following example, both Unicron and xrobau will be able to SSH into VyOS
-as the ``vyos`` user using their own keys.
+* ``ecdsa-sha2-nistp256``
+* ``ecdsa-sha2-nistp384``
+* ``ecdsa-sha2-nistp521``
+* ``ssh-dss``
+* ``ssh-ed25519``
+* ``ssh-rsa``
-.. code-block:: none
+.. note:: You can assign multiple keys to the same user by using a unique
+ identifier per SSH key.
- set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...."
- set system login user vyos authentication public-keys 'Unicron' type ssh-rsa
- set system login user vyos authentication public-keys 'xrobau' key "AAAAQ39x...."
- set system login user vyos authentication public-keys 'xrobau' type ssh-rsa
+Example
+-------
+In the following example, both User1 and User2 will be able to SSH into VyOS
+as the ``vyos`` user using their own keys.
+.. code-block:: none
+ set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+ set system login user vyos authentication public-keys 'User1' type ssh-rsa
+ set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+ set system login user vyos authentication public-keys 'User2' type ssh-rsa