calin radoni's humble web presence |
homedocstoolboxabout |
SSH access for Allied Telesyn's routers and Layer 3 switches
Improving network security by managing the active equipments through the Secure Shell
protocol (see
SSH Communication Security - Original Developers of Secure Shell and
IETF's Secure Shell Charter) instead of the "traditional" Telnet
protocol (see
RFC 854: Telnet Protocol Specification).
As you may know allready, authentication through SSH is possible using two methods: password authentication
and RSA authentication.
I will show you both methods in this document.
Why not Telnet
? Basically, Telnet
uses cleartext
passwords for authentication which is a serious security problem. The cleartext password are easily sniffed and this
could lead to an entire network compromise.
Why Secure Shell
(ssh) protocol? SSH is a strongly authenticated and encrypted protocol,
very hard to be broken and compromised. It uses "strong" public key and symetric cryptographic protocols
for authentication and encryption.
Why Allied Telesyn routers and Layer 3 switches? Because I have some to play with...
Note: About RSA
RSA is a public key cryptographic algorithm. RSA stands for Rivest-Shamir-Adleman, which are the names of the algorithm's creators. See the RSA Laboratories's page for more info about the RSA algorithm.
Note: Conventions
Unless specified otherway, the term "router" is used in this document to refer to both routers and Layer 3 switches.
Warning
BACKUP YOUR ROUTER'S CONFIGURATION !!!
After appling correctly the procedure presented in this document you will not be able to use the
Telnet
protocol to access your router, unless you cancel all modifications!
If you make a mistake and save your configuration, you will NOT be able to access your router, except through a serial connection.
A minimal configuration for your router should exists, otherway:
For SSH access and RSA key generation I am using, through this document two methods:
I have configured my routers through serial and network connection. You should be able to do it.
Enough talk, let's do it (backup your configuration first).
Many of the commands outlined in this document require the Security Officer privileges that is why the first step is
to create a user with Security Officer privileges.
First, login (through telnet or console) as manager
, then create a new user:
ADD USER=<theSoUser> LOGIN=TRUE PASSWORD=<passwordForSoUser> PRIVILEGE=securityofficer TELNET=yesReplace <theSoUser> and <passwordForSoUser> as you wish but do NOT forget them because we will put the router into security mode and <theSoUser> will be the big boss!
Now logout and login again (through telnet or console) as <theSoUser>.
Put the router into security mode:
ENABLE SYSTEM security_modeand enable remote connection for <theSoUser>:
ENABLE USER RSO ADD USER RSO IP=<theIpAddressOfManagementStation>where <theIpAddressOfManagementStation> is the IP address of the station that you will use to connect to the router.
Note
You can use the previous command multiple times to add multiple management stations or you can use the MASK parameter to add a range of addresses for management.
For SSH to work you need, at least, two keys: a host key and a server key.
I am starting by creating the host's key:
CREATE ENCO KEY=0 TYPE=RSA LENGTH=1024 DESCRIPTION="Host Key" FORM=sshYou should receive the following two messages:
CREATE ENCO KEY=1 TYPE=RSA LENGTH=768 DESCRIPTION="Server Key" FORM=sshThe generation messages again:
Note
Default options for an Allied Telesyn router or Layer 3 switch allows you to create RSA keys up to 1024 bits.
SHOW ENCO KEY
To enable SSH access I am using the following command:
ENABLE SSH SERVER HOSTKEY=0 SERVERKEY=1 EXPIRYTIME=24 LOGINTIMEOUT=60that enables SSH server, sets an expiry time for server's key to 24 hours and a login timeout for un-authenticated sessions to 60 seconds.
Easiest but not safest way to use the SSH protocol is through password authentication. I am starting with this one by typing the following command:
ADD SSH USER=<theSoUser> PASSWORD=<aSshPasswordForSoUser>Now you can logout and start a SSH connection from one of the managament stations added in a previous step.
Note
If you can connect now through SSH everything should be OK and it is time to save the configuration
(by issuing the CREATE CONFIG=boot.cfg
command), otherway restart
the router and start over.
RSA authentication is more secure that password authentication. For this to work you need to create a public key pair
for every user that needs to connect the router. I am presenting here two methods to create public key pairs
for users, one using PuTTYgen
and one using ssh-keygen
.
Constrains for creating a key pair:
Key comment
field);
Key passphrase
field).
Note
Because the standard licence for Allied Telesyn router allows you to use a SSH-1 RSA key with a maximum length of 1024 bits, if you create a stronger key you need a special licence to be able to use it.
To use PuTTYgen
for creating <theSoUser>'s public key pair, fill the fields:
Key comment
field to identify your key;
Key passphrase
field.
To use ssh-keygen
for creating <theSoUser>'s public key pair, execute:
ssh-keygen -b 1024 -t rsa1 -C "<putKeyCommentHere>" -P "<privateKeyPassword>" -f <destKeyFileName>and you will get two files:
<destKeyFileName>
containing the private key<destKeyFileName>.pub
containing the public key
Warning
The private key should be keept in a safe location, unlike the public key that could be safe deployed anywhere you needed.
The PUBLIC key should be uploaded to the router. Start a TFTP server and execute, in the router, the command:
LOAD FILE=<publicKeyFileName>.key DESTINATION=flash SERVER=<theIpAddressOfTftpServer> METHOD=tftpand import that key:
CREATE ENCO KEY=3 TYPE=rsa FILE=<publicKeyFileName>.key DESC="<theSoUser>'s public key" FORM=ssh
Note
You can assing a KEYID for your imported key as you wish, except the 0 and 1 key ids that where allocated for Host Key and Server Key. I have assigned to previous key the value of three just as an example (KEY=3).
SHOW ENCO KEYDelete the SSH <theSoUser> created with password authentication:
DELETE SSH USER=<theSoUser>and add it again for RSA authentication:
ADD SSH USER=<theSoUser> KEYID=3
To test the new setting logout and the initiate a SSH connection like this:
putty.exe -ssh <theSoUser>@<ipAddressOfTheRouter> -i <theSoUser>prv.keyfrom one of the managament stations added in a previous step.
Note
If you can connect now through SSH everything should be OK and it is time to save the configuration
(by issuing the CREATE CONFIG=boot.cfg
command), otherway restart
the router and start over.
This document is followed by the SSL access for Allied Telesyn's routers and Layer 3 switches document.
If you want to reconfigure an Allied Telesyn Layer 3 switch from zero, here is the procedure:
RESTART ROUTER
command or by pressing the
Reset
button;
Force EPROM download (Y)?
press S
and the switch will boot with a default configuration, ignoring
any boot script;
Make a serial connection to the switch and login with the default credentials (the manager/friend pair).
After login type the following commands:
ENABLE IP ADD IP INT=vlan1 IP=192.168.1.1First command enables the IP functions.
CREATE CONFIG=boot.cfg SET CONFIG=boot.cfgBecause all ports are, in the default configuration, members of the default VLAN you can now connect a patch-cord between your computer and the switch and assign an IP address of 192.168.1.2 with a mask like 255.255.255.0 to the computer's network card.
An alternate configuration, usable if you have another switch with a free port tagged in the default VLAN, could be obtained if you type the following commands:
ENABLE IP ADD IP INT=vlan1 IP=192.168.1.2 ADD IP ROUTE=0.0.0.0 MASK=0.0.0.0 INT=vlan1 NEXT=192.168.1.1 SET VLAN=1 PORT=1 FRAME=taggedassuming the default gateway for VLAN1 has an IP address of 192.168.1.1 and that the IP address 192.168.1.2 is not allocated.
Warning
If you choose this way do not forget to change the default password (use the SET PASSWORD
command)!
This document is copyrighted (c) 2006 by Calin Radoni. Permission is granted to copy and/or distribute this document.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.