calin radoni's humble web presence

 homedocstoolboxabout

SSH access for Allied Telesyn's routers and Layer 3 switches

Table of Contents

Objective

Improving network security by managing the active equipments through the Secure Shell protocol (see SSH Communication Security - Original Developers of Secure Shell and IETF's Secure Shell Charter) instead of the "traditional" Telnet protocol (see RFC 854: Telnet Protocol Specification).
As you may know allready, authentication through SSH is possible using two methods: password authentication and RSA authentication.
I will show you both methods in this document.

Why not Telnet? Basically, Telnet uses cleartext passwords for authentication which is a serious security problem. The cleartext password are easily sniffed and this could lead to an entire network compromise.

Why Secure Shell (ssh) protocol? SSH is a strongly authenticated and encrypted protocol, very hard to be broken and compromised. It uses "strong" public key and symetric cryptographic protocols for authentication and encryption.

Why Allied Telesyn routers and Layer 3 switches? Because I have some to play with...

Note: About RSA

RSA is a public key cryptographic algorithm. RSA stands for Rivest-Shamir-Adleman, which are the names of the algorithm's creators. See the RSA Laboratories's page for more info about the RSA algorithm.

Note: Conventions

Unless specified otherway, the term "router" is used in this document to refer to both routers and Layer 3 switches.

Warning

BACKUP YOUR ROUTER'S CONFIGURATION !!!

After appling correctly the procedure presented in this document you will not be able to use the Telnet protocol to access your router, unless you cancel all modifications!

If you make a mistake and save your configuration, you will NOT be able to access your router, except through a serial connection.

Requirements

A minimal configuration for your router should exists, otherway:

For SSH access and RSA key generation I am using, through this document two methods:

I have configured my routers through serial and network connection. You should be able to do it.

Enough talk, let's do it (backup your configuration first).

Security ON

Many of the commands outlined in this document require the Security Officer privileges that is why the first step is to create a user with Security Officer privileges.
First, login (through telnet or console) as manager, then create a new user: 

ADD USER=<theSoUser> LOGIN=TRUE PASSWORD=<passwordForSoUser> PRIVILEGE=securityofficer TELNET=yes
Replace <theSoUser> and <passwordForSoUser> as you wish but do NOT forget them because we will put the router into security mode and <theSoUser> will be the big boss!

Now logout and login again (through telnet or console) as <theSoUser>.

Put the router into security mode: 

ENABLE SYSTEM security_mode
and enable remote connection for <theSoUser>: 
ENABLE USER RSO
ADD USER RSO IP=<theIpAddressOfManagementStation>
where <theIpAddressOfManagementStation> is the IP address of the station that you will use to connect to the router.

Note

You can use the previous command multiple times to add multiple management stations or you can use the MASK parameter to add a range of addresses for management.

The keys

For SSH to work you need, at least, two keys: a host key and a server key.
I am starting by creating the host's key: 

CREATE ENCO KEY=0 TYPE=RSA LENGTH=1024 DESCRIPTION="Host Key" FORM=ssh
You should receive the following two messages:
Now the host's key is generated and I will generate the server's key (according to the documentation "this key must be 128 bits shorter than the host key, but should be at least 512 bits"): 
CREATE ENCO KEY=1 TYPE=RSA LENGTH=768 DESCRIPTION="Server Key" FORM=ssh
The generation messages again:
and your keys are created.

Note

Default options for an Allied Telesyn router or Layer 3 switch allows you to create RSA keys up to 1024 bits.

You can verify that the keys are created by issuing the command: 
SHOW ENCO KEY

Start SSH server

To enable SSH access I am using the following command: 

ENABLE SSH SERVER HOSTKEY=0 SERVERKEY=1 EXPIRYTIME=24 LOGINTIMEOUT=60
that enables SSH server, sets an expiry time for server's key to 24 hours and a login timeout for un-authenticated sessions to 60 seconds.
You can tweak those values but be aware that:

Password authentication

Easiest but not safest way to use the SSH protocol is through password authentication. I am starting with this one by typing the following command: 

ADD SSH USER=<theSoUser> PASSWORD=<aSshPasswordForSoUser>
Now you can logout and start a SSH connection from one of the managament stations added in a previous step.

Note

If you can connect now through SSH everything should be OK and it is time to save the configuration (by issuing the CREATE CONFIG=boot.cfg command), otherway restart the router and start over.

RSA authentication

RSA authentication is more secure that password authentication. For this to work you need to create a public key pair for every user that needs to connect the router. I am presenting here two methods to create public key pairs for users, one using PuTTYgen and one using ssh-keygen.

Constrains for creating a key pair:

Note

Because the standard licence for Allied Telesyn router allows you to use a SSH-1 RSA key with a maximum length of 1024 bits, if you create a stronger key you need a special licence to be able to use it.

To use PuTTYgen for creating <theSoUser>'s public key pair, fill the fields:

then and save the public and private keys.

To use ssh-keygen for creating <theSoUser>'s public key pair, execute: 

ssh-keygen -b 1024 -t rsa1 -C "<putKeyCommentHere>" -P "<privateKeyPassword>" -f <destKeyFileName>
and you will get two files:

Warning

The private key should be keept in a safe location, unlike the public key that could be safe deployed anywhere you needed.

The PUBLIC key should be uploaded to the router. Start a TFTP server and execute, in the router, the command: 

LOAD FILE=<publicKeyFileName>.key DESTINATION=flash SERVER=<theIpAddressOfTftpServer> METHOD=tftp
and import that key: 
CREATE ENCO KEY=3 TYPE=rsa FILE=<publicKeyFileName>.key DESC="<theSoUser>'s public key" FORM=ssh

Note

You can assing a KEYID for your imported key as you wish, except the 0 and 1 key ids that where allocated for Host Key and Server Key. I have assigned to previous key the value of three just as an example (KEY=3).

You can verify that the keys are created by issuing the command: 
SHOW ENCO KEY
Delete the SSH <theSoUser> created with password authentication: 
DELETE SSH USER=<theSoUser>
and add it again for RSA authentication: 
ADD SSH USER=<theSoUser> KEYID=3

To test the new setting logout and the initiate a SSH connection like this: 

putty.exe -ssh <theSoUser>@<ipAddressOfTheRouter> -i <theSoUser>prv.key
from one of the managament stations added in a previous step.

Note

If you can connect now through SSH everything should be OK and it is time to save the configuration (by issuing the CREATE CONFIG=boot.cfg command), otherway restart the router and start over.

Next?

This document is followed by the SSL access for Allied Telesyn's routers and Layer 3 switches document.

Appendix A: Starting with a default configuration

If you want to reconfigure an Allied Telesyn Layer 3 switch from zero, here is the procedure:

  1. make a serial connection to the switch;
  2. reboot switch by issuing the RESTART ROUTER command or by pressing the Reset button;
  3. when the switch displays the message Force EPROM download (Y)? press S and the switch will boot with a default configuration, ignoring any boot script;
  4. login with default credentials (manager/friend pair).
Now your switch is "unconfigured" and you can continue as described in Appendix B.

Appendix B: Quick start for a new or unconfigured Layer 3 switch

Make a serial connection to the switch and login with the default credentials (the manager/friend pair).
After login type the following commands: 

ENABLE IP
ADD IP INT=vlan1 IP=192.168.1.1
First command enables the IP functions.
The second command creates an interface with the IP address of 192.168.1.1 in the default VLAN.
Now you can save your configuration by issuing the following commands: 
CREATE CONFIG=boot.cfg
SET CONFIG=boot.cfg
Because all ports are, in the default configuration, members of the default VLAN you can now connect a patch-cord between your computer and the switch and assign an IP address of 192.168.1.2 with a mask like 255.255.255.0 to the computer's network card.

An alternate configuration, usable if you have another switch with a free port tagged in the default VLAN, could be obtained if you type the following commands: 

ENABLE IP
ADD IP INT=vlan1 IP=192.168.1.2
ADD IP ROUTE=0.0.0.0 MASK=0.0.0.0 INT=vlan1 NEXT=192.168.1.1
SET VLAN=1 PORT=1 FRAME=tagged
assuming the default gateway for VLAN1 has an IP address of 192.168.1.1 and that the IP address 192.168.1.2 is not allocated.

Warning

If you choose this way do not forget to change the default password (use the SET PASSWORD command)!

History

Copyright and License

This document is copyrighted (c) 2006 by Calin Radoni. Permission is granted to copy and/or distribute this document.

Disclaimer

No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.

All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.


Copyright © 2005 - 2009 Calin Radoni Hosted on http://www.oocities.org/calinradoni Last page modification is 18 May 2006