summaryrefslogtreecommitdiff
path: root/docs/services/ssh.rst
blob: 0153d918759b3af089d65843088541c27b462536 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
.. _ssh:

###
SSH
###

:abbr:`SSH (Secure Shell)` is a cryptographic network protocol for operating
network services securely over an unsecured network. The standard TCP port for
SSH is 22. The best known example application is for remote login to computer
systems by users.

SSH provides a secure channel over an unsecured network in a client-server
architecture, connecting an SSH client application with an SSH server. Common
applications include remote command-line login and remote command execution,
but any network service can be secured with SSH. The protocol specification
distinguishes between two major versions, referred to as SSH-1 and SSH-2.

The most visible application of the protocol is for access to shell accounts
on Unix-like operating systems, but it sees some limited use on Windows as
well. In 2015, Microsoft announced that they would include native support for
SSH in a future release.

SSH was designed as a replacement for Telnet and for unsecured remote shell
protocols such as the Berkeley rlogin, rsh, and rexec protocols.
Those protocols send information, notably passwords, in plaintext,
rendering them susceptible to interception and disclosure using packet
analysis. The encryption used by SSH is intended to provide confidentiality
and integrity of data over an unsecured network, such as the Internet.

.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due
   to tighter security in VyOS 1.2.

.. seealso:: SSH :ref:`ssh_key_based_authentication`

Configuration
=============

.. cfgcmd:: set service ssh port <port>

  Enabling SSH only requires you to specify the port ``<port>`` you want SSH to
  listen on. By default, SSH runs on port 22.

.. cfgcmd:: set service ssh listen-address <address>

  Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be
  defined.

.. cfgcmd:: set service ssh ciphers <cipher>

  Define allowed ciphers used for the SSH connection. A number of allowed ciphers
  can be specified, use multiple occurrences to allow multiple ciphers.

  List of supported ciphers: ``3des-cbc``, ``aes128-cbc``, ``aes192-cbc``,
  ``aes256-cbc``, ``aes128-ctr``, ``aes192-ctr``, ``aes256-ctr``, ``arcfour128``,
  ``arcfour256``, ``arcfour``, ``blowfish-cbc``, ``cast128-cbc``

.. cfgcmd:: set service ssh disable-password-authentication

  Disable password based authentication. Login via SSH keys only. This hardens
  security!

.. cfgcmd:: set service ssh disable-host-validation

  Disable the host validation through reverse DNS lookups - can speedup login
  time when reverse lookup is not possible.

.. cfgcmd:: set service ssh macs <mac>

  Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms.
  The MAC algorithm is used in protocol version 2 for data integrity protection.
  Multiple algorithms can be provided.

  List of supported MACs: ``hmac-md5``, ``hmac-md5-96``, ``hmac-ripemd160``,
  ``hmac-sha1``, ``hmac-sha1-96``, ``hmac-sha2-256``, ``hmac-sha2-512``,
  ``umac-64@openssh.com``, ``umac-128@openssh.com``, ``hmac-md5-etm@openssh.com``,
  ``hmac-md5-96-etm@openssh.com``, ``hmac-ripemd160-etm@openssh.com``,
  ``hmac-sha1-etm@openssh.com``, ``hmac-sha1-96-etm@openssh.com``,
  ``hmac-sha2-256-etm@openssh.com``, ``hmac-sha2-512-etm@openssh.com``,
  ``umac-64-etm@openssh.com``, ``umac-128-etm@openssh.com``

.. cfgcmd:: set service ssh access-control <allow | deny> <group | user> <name>

  Add access-control directive to allow or deny users and groups. Directives
  are processed in the following order of precedence: ``deny-users``,
  ``allow-users``, ``deny-groups`` and ``allow-groups``.

.. cfgcmd:: set service ssh client-keepalive-interval <interval>

  Specify timeout interval for keepalive message in seconds.

.. cfgcmd:: set service ssh key-exchange <kex>

  Specify allowed :abbr:`KEX (Key Exchange)` algorithms.

  List of supported algorithms: ``diffie-hellman-group1-sha1``,
  ``diffie-hellman-group14-sha1``, ``diffie-hellman-group14-sha256``,
  ``diffie-hellman-group16-sha512``, ``diffie-hellman-group18-sha512``,
  ``diffie-hellman-group-exchange-sha1``, ``diffie-hellman-group-exchange-sha256``,
  ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, ``ecdh-sha2-nistp521``,
  ``curve25519-sha256`` and ``curve25519-sha256@libssh.org``.

.. cfgcmd:: set service ssh loglevel <quiet | fatal | error | info | verbose>

  Set the ``sshd`` log level. The default is ``info``.

.. cfgcmd:: set service ssh vrf <name>

  Specify name of the :abbr:`VRF (Virtual Routing and Forwarding)` instance.