Secure Shell

SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. is enabled by default in ArubaOS, and thus lets you log in using a username and password. You can enable SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. login by using public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication while leaving username and password authentication enabled, or you may disable the username and password authentication and leave only the public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication enabled. In the FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode of operation, SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. is pre-configured to only use Diffie-Hellman Group 14 with AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC-128, AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC-256, HMAC-SHA1, or HMAC-SHA1-96. These settings are not configurable.

When you import an X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. client certificate into the managed device, the certificate is converted to SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. -RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. keys. When you enable public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication for SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. , the managed device validates the credentials of the client with the imported public keys. You can specify public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication only, or public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication with username and password (if the public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication fails, the user can login with a configured username and password).

Enabling Public Key Authentication

The managed device allows public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication of users accessing the managed device using SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. . (The default is for username and password authentication.)

To use public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication, you must do the following:

  1. Import the X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. client certificate into the managed device using the WebUI, as described in Managing Certificates
  2. Configure SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. for client public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication. You can optionally also select username and password authentication.
  3. Configure the username, role and client certificate.

The following procedure describes how to enable public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication.

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Admin tab and expand the Admin Authentication Options accordion.
  2. Under SSH (Secure Shell) Authentication Method, set Client Public Key to Enabled. You can optionally select Username/Password to use both username and password and public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication for SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. access.
  3. Click Submit.
  4. To configure the user, navigate to the Configuration > System > Admin tab.
    1. Expand the Management User accordion.
    2. Click Show users with certificate authentication.
    3. Click +.
    4. Select CLI through SSH from Interface to connect drop-down list.

    ArubaOS recommends that the username and role for SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. be the same as for the WebUI Certificate. You can optionally use the check box to copy the username and role from the Web Certificate section to the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. Public Key section.

    1. Enter the User name.
    2. Select the management role assigned to the user upon validation of the client certificate.
    3. Select the Client certificate.
  1. Click Submit.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands enable public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. authentication.

ssh mgmt-auth public-key [username/password]

mgmt-user ssh-pubkey client-cert <certificate> <username> <role>

Enabling Ciphers and MAC Algorithms

You can configure SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. to enable or disable the following ciphers and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. algorithms based on your preference:

  • AES-CBC
  • AES-CTR
  • HMAC-SHA1
  • HMAC-SHA1-96
  • HMAC-SHA2-256

By default, all the algorithms are enabled. However, the managed device allows you to enable or disable a specific cipher or the HMAC-SHA1-96 authentication algorithm.

The following procedure describes how to enable a cipher encryption:

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Admin tab and expand the Admin Authentication Options accordion.
  2. Under SSH (Secure Shell) Authentication Method > Encryption, select AES-CBC, AES-CTR, or Both.
  3. Click Submit.

The following procedure describes how to enable HMAC-SHA1-96 authentication:

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Admin tab and expand the Admin Authentication Options accordion.

2. Under SSH (Secure Shell) Authentication Method > Authentication, select HMAC-SHA1-96.

3. Click Submit.

The following procedure describes how to enable HMAC-SHA2-256 authentication:

1. In the Managed Network node hierarchy, navigate to the Configuration > System > Admin tab and expand the Admin Authentication Options accordion.

2. Under SSH (Secure Shell) Authentication Method > Authentication, deselect HMAC-SHA1 and HMAC-SHA1-96.

3. Click Submit.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC on the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. server.

(host) [md] (config) #ssh disable-ciphers aes-ctr

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR on the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. server.

(host) [md] (config) #ssh disable-ciphers aes-cbc

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables both the ciphers on the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. server.

(host) [md] (config) #no ssh disable-ciphers

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables HMAC-SHA1.

(host) [md] (config) #ssh disable-mac hmac-sha1-96

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables both the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication algorithms on the SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. server.

(host) [md] (config) #no ssh disable-mac

Viewing Cipher and MAC configuration

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows the status of cipher and MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. configuration.

show ssh

Disabling Console Access

A new command is introduced to disable the console-login. The purpose of this command is to introduce an ability to lock down all console ports, for example, micro USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. , mini USB Universal Serial Bus. USB is a connection standard that offers a common interface for communication between the external devices and a computer. USB is the most common port used in the client devices. on the managed device to enable high level security.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command disables the console.

(host) [mynode] (config) #mgmt-user console-block

PLEASE SAVE THE CONFIGURATION. CONSOLE WILL BE BLOCKED ONCE USER LOGS OUT FROM SERIALCONSOLE.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command enables the console.

(host) [mynode] (config) #no mgmt-user console-block