From 2e881d5dd81bcbbbe1b92661353ed475a7685f75 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 15 Dec 2019 19:09:41 +0100
Subject: ssh: use new cfgcmd/opcmd syntax

---
 docs/services/ssh.rst | 172 +++++++++++++++++++++++++-------------------------
 1 file changed, 86 insertions(+), 86 deletions(-)

(limited to 'docs/services/ssh.rst')

diff --git a/docs/services/ssh.rst b/docs/services/ssh.rst
index 0a364ea2..9a1418d3 100644
--- a/docs/services/ssh.rst
+++ b/docs/services/ssh.rst
@@ -30,124 +30,124 @@ and integrity of data over an unsecured network, such as the Internet.
 Configuration
 =============
 
-Enabling SSH only requires you to add ``service ssh port NN``, where 'NN' is
-the port you want SSH to listen on. By default, SSH runs on port 22.
+.. cfgcmd:: set service ssh port '<number>'
 
-.. code-block:: none
-
-  set service ssh port 22
-
-Options
--------
-
-* Listening address - Specify the IPv4/IPv6 listening address for connection
-  requests. Multiple ``listen-address`` nodes can be defined.
+Enabling SSH only requires you to specify the port ``<number>`` you want SSH to
+listen on. By default, SSH runs on port 22.
 
-  :code:`set service ssh listen-address <address>`
+.. cfgcmd:: set service ssh listen-address '<address>'
 
-* Allow ``root`` login, this can be set to allow ``root`` logins on SSH
-  connections, however it is not advisable to use this setting as this bears
-  serious security risks. The default system user possesses all required
-  privileges.
+Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be
+defined.
 
-  :code:`set service ssh allow-root`
+.. cfgcmd:: set service ssh ciphers '<cipher>'
 
-* Allowed ciphers - A number of allowed ciphers can be specified, use multiple
-  occurrences to allow multiple ciphers.
+Define allowed ciphers used for the SSH connection. A number of allowed ciphers
+can be specified, use multiple occurrences to allow multiple ciphers.
 
-  :code:`set service ssh ciphers <cipher>`
+* ``3des-cbc``
+* ``aes128-cbc``
+* ``aes192-cbc``
+* ``aes256-cbc``
+* ``aes128-ctr``
+* ``aes192-ctr``
+* ``aes256-ctr``
+* ``arcfour128``
+* ``arcfour256``
+* ``arcfour``
+* ``blowfish-cbc``
+* ``cast128-cbc``
 
-  Available ciphers:
+This could be used to harden security.
 
- * `3des-cbc`
- * `aes128-cbc`
- * `aes192-cbc`
- * `aes256-cbc`
- * `aes128-ctr`
- * `aes192-ctr`
- * `aes256-ctr`
- * `arcfour128`
- * `arcfour256`
- * `arcfour`
- * `blowfish-cbc`
- * `cast128-cbc`
+.. cfgcmd:: set service ssh disable-password-authentication
 
-* Disable password authentication - If SSH key authentication is set up,
-  password-based user authentication can be disabled. This hardens security!
+Disable password based authentication. Login via SSH keys only. This hardens
+security!
 
-  :code:`set service ssh disable-password-authentication`
 
-* Disable host validation - Disable the host validation through reverse DNS
-  lookups.
+.. cfgcmd: set service ssh disable-host-validation
 
-  :code:`set service ssh disable-host-validation`
+Disable the host validation through reverse DNS lookups - can speedup login
+time when reverse lookup is not possible.
 
-* MAC algorithms - Specifies the available MAC (message authentication code)
-  algorithms. The MAC algorithm is used in protocol version 2 for data
-  integrity protection. Multiple algorithms can be entered.
+.. cfgcmd:: set service ssh macs '<mac>'
 
-  :code:`set service ssh macs <macs>`
+Specifies the available :abbr:`MAC (Message Authentication Code)` algorithms.
+The MAC algorithm is used in protocol version 2 for data integrity protection.
+Multiple algorithms can be provided. Supported MACs:
 
-  Supported MACs:
+* ``hmac-md5``
+* ``hmac-md5-96``
+* ``hmac-ripemd160``
+* ``hmac-sha1``
+* ``hmac-sha1-96``
+* ``hmac-sha2-256``
+* ``hmac-sha2-512``
+* ``umac-64@openssh.com``
+* ``umac-128@openssh.com``
+* ``hmac-md5-etm@openssh.com``
+* ``hmac-md5-96-etm@openssh.com``
+* ``hmac-ripemd160-etm@openssh.com``
+* ``hmac-sha1-etm@openssh.com``
+* ``hmac-sha1-96-etm@openssh.com``
+* ``hmac-sha2-256-etm@openssh.com``
+* ``hmac-sha2-512-etm@openssh.com``
+* ``umac-64-etm@openssh.com``
+* ``umac-128-etm@openssh.com``
 
- * `hmac-md5`
- * `hmac-md5-96`
- * `hmac-ripemd160`
- * `hmac-sha1`
- * `hmac-sha1-96`
- * `hmac-sha2-256`
- * `hmac-sha2-512`
- * `umac-64@openssh.com`
- * `umac-128@openssh.com`
- * `hmac-md5-etm@openssh.com`
- * `hmac-md5-96-etm@openssh.com`
- * `hmac-ripemd160-etm@openssh.com`
- * `hmac-sha1-etm@openssh.com`
- * `hmac-sha1-96-etm@openssh.com`
- * `hmac-sha2-256-etm@openssh.com`
- * `hmac-sha2-512-etm@openssh.com`
- * `umac-64-etm@openssh.com`
- * `umac-128-etm@openssh.com`
+This could be used to harden security.
 
+.. note:: VyOS 1.1 supported login as user ``root``. This has been removed due
+   to tighter security in VyOS 1.2.
 
-Key Authentication
-##################
+Key Based Authentication
+========================
 
 It is highly recommended to use SSH Key authentication. By default there is
 only one user (``vyos``), and you can assign any number of keys to that user.
 You can generate a ssh key with the ``ssh-keygen`` command on your local
-machine, which will (by default) save it as ``~/.ssh/id_rsa.pub`` which is in
-three parts:
+machine, which will (by default) save it as ``~/.ssh/id_rsa.pub``.
 
- ``ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...VByBD5lKwEWB username@host.example.com``
+Every SSH key comes in three parts:
 
-Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that
-the key will usually be several hundred characters long, and you will need to
-copy and paste it. Some terminal emulators may accidentally split this over
-several lines. Be attentive when you paste it that it only pastes as a single
-line. The third part is simply an identifier, and is for your own reference.
+``ssh-rsa AAAAB3NzaC1yc2EAAAABAA...VBD5lKwEWB username@host.example.com``
 
+Only the type (``ssh-rsa``) and the key (``AAAB3N...``) are used. Note that the
+key will usually be several hundred characters long, and you will need to copy
+and paste it. Some terminal emulators may accidentally split this over several
+lines. Be attentive when you paste it that it only pastes as a single line.
+The third part is simply an identifier, and is for your own reference.
 
-**Assign SSH Key to user**
+.. cfgcmd:: set system login user '<username>' authentication public-keys '<identifier>' key '<key>'
 
-Under the user (in this example, ``vyos``), add the public key and the type.
-The `identifier` is simply a string that is relevant to you.
+Assign the SSH public key portion `<key>` identified by per-key `<identifier>`
+to the local user `<username>`.
 
-.. code-block:: none
+.. cfgcmd:: set system login user '<username>' authentication public-keys '<identifier>' type '<type>'
 
-  set system login user vyos authentication public-keys 'identifier' key "AAAAB3Nz...."
-  set system login user vyos authentication public-keys 'identifier' type ssh-rsa"
+Every SSH public key portion referenced by `<identifier>` requires the
+configuration of the `<type>` of public-key used. This type can be any of:
 
-You can assign multiple keys to the same user by changing the identifier. In
-the following example, both Unicron and xrobau will be able to SSH into VyOS
-as the ``vyos`` user using their own keys.
+* ``ecdsa-sha2-nistp256``
+* ``ecdsa-sha2-nistp384``
+* ``ecdsa-sha2-nistp521``
+* ``ssh-dss``
+* ``ssh-ed25519``
+* ``ssh-rsa``
 
-.. code-block:: none
+.. note:: You can assign multiple keys to the same user by using a unique
+   identifier per SSH key.
 
-  set system login user vyos authentication public-keys 'Unicron' key "AAAAB3Nz...."
-  set system login user vyos authentication public-keys 'Unicron' type ssh-rsa
-  set system login user vyos authentication public-keys 'xrobau' key "AAAAQ39x...."
-  set system login user vyos authentication public-keys 'xrobau' type ssh-rsa
+Example
+-------
 
+In the following example, both User1 and User2 will be able to SSH into VyOS
+as the ``vyos`` user using their own keys.
 
+.. code-block:: none
 
+  set system login user vyos authentication public-keys 'User1' key "AAAAB3Nz...KwEW"
+  set system login user vyos authentication public-keys 'User1' type ssh-rsa
+  set system login user vyos authentication public-keys 'User2' key "AAAAQ39x...fbV3"
+  set system login user vyos authentication public-keys 'User2' type ssh-rsa
-- 
cgit v1.2.3