C4 CMTS

Release 4.2, Standard ARRIS PROPRIETARY All Rights Reserved 15-17

Procedure 15-1 Setting up SSH on the C4 CMTS
1 Create the directory /system/sec/ssh/server
2 Execute the command:
configure crypto key generate dsa
3 Execute the command:
configure ip ssh no shutdown
4 Execute the command:
configure ip ssh restart
End of procedure
Procedure 15-2 PuTTY, SSH, Public Key Authentication
Follow this procedure if you wish to connect securely to the C4 CMTS using
PuTTY and SSH with public key authentication:
1 Telnet to a Unix machine which is configured with openSSL crypto and ssh-
keygen utilities.
login: serial
pwd: serial
2 Execute the command:
ssh-keygen -t dsa -f id_dsa.pem
The file id_dsa.pem will be the private key file. If id_dsa.pem already
exists, overwrite it.
3 You will be prompted for a pass phrase. If you want to be prompted for
this pass phrase when you authenticate to the C4 CMTS, enter one. If not,
you can hit enter twice. The pass phrase is the SSH password; it must be
at least 4 characters long.
4 Execute the command:
openssl dsa -in id_dsa.pem -outform PEM -pubout -out
<username>.pem
Replace <username> with the desired username, for example, C4. If you
entered a pass phrase when the key was created, you will be prompted to
enter it again.
15-18 ARRIS PROPRIETARY All Rights Reserved 07/05/05
15 Authentication, Authorization, and Accounting (AAA)
5 A file will be created called "<username>.pem". This is this user's public
key file and must be FTP'd to the C4 CMTS running SSH. Place the file in
/system/sec/ssh/user. You may have to create the /user directory.
6 At the C4 CMTS, restart the SSH server:
configure ip ssh restart
7 From your PC, run PuTTYgen. PuTTYgen can be downloaded from
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
8 On the menu bar select Conversions --> import key. Open the private key
file you created above called id_dsa.pem. If you entered a pass phrase
when the key was created you will be prompted to enter it again.
9 Click the "Save private key" button to save the private key file with a ".ppk"
extension; call it <username>.ppk or something that correlates it with the
username you entered above. This is PuTTY's private key file format and
is different from OpenSSH and ssh.com (IETF SECSH).
10 From your PC, open PuTTY. Create a profile for connecting to the SSH
server. On the left side of the PuTTY window you will see a pane called
Category. Select Connection --> SSH --> Auth, and in the Private key
file for authentication browse to the public key file (the .ppk file you
converted with PuTTYgen). Go back to 'Sessions'. Enter the IP address,
SSH, Name of 'Saved Session' file and save your profile.
11 Connect to the C4. Login with <username>, whatever filename you called
the .pem public key file you FTPd to the C4 CMTS. If you entered a pass
phrase you will be prompted to enter this as well. Proceed to login to the
C4 CMTS in the same way as with telnet.
End of procedure
Storing Server Private Keys To store a private key to the Cadant C4 CMTS follow these steps:
1 Only a DER-encoded key is supported by the C4 CMTS. Openssh and
SSH2/IETF key formats are not supported in software release 4.2.
DER-encoded keys must be in PEM format.
2 Update the server DSA format PEM encoded public and private key files
into any location on the C4 CMTS.
3 Import the keys into the MIB tables for use during CCR soft-switches with
the following commands:
configure crypto key import public-key
{path}/{filename}
configure crypto key import private-key
{path}/{filename}
4 Use legacy FTP to upload the servers private key file.
C4 CMTS
Release 4.2, Standard ARRIS PROPRIETARY All Rights Reserved 15-19
Feature Dependencies No alarms are associated with the C4 CMTS SSH feature. No performance
monitoring is provided with the C4 CMTS SSH feature. No new hardware
is needed to support this feature. If the SSH server's host public/private
DSA key pair is not recovered after a system outage, then a new key pair
must be generated before the SSH server can be started.
Table 15-4: SSH Server Operating Parameters
Parameter CLI Command (config) Comment
TCP port ip ssh port <number> Default is port 22.
Session idle timeout
(minutes)
ip ssh idle-timeout <minutes>
Default is 0 (unlimited). Note well that CLI time is in minutes but SSH2
server time is in seconds.
Max SSH clients ip ssh max-clients <number> Default is 0 (unlimited).
Choice of cipher set (choose
any or all)
ip ssh ciphers [aes] [blowfish]
[cast] [arcfour] [3des]
Available ciphers are aes, blowfish, cast, arcfour, and 3des. Default
is all ciphers are available.
Allow/Disallow password
authentication
ip ssh password-auth
ip ssh no password-auth
Password authentication is allowed. If disallowed, any password
authentication from the client is rejected. If both password and public key
authentications are disallowed then all client authentication requests will
be rejected. Default is allowed.
Allow/Disallow user public
key authentication
ip ssh public-key-auth
ip ssh no public-key-auth
User public key authentication is allowed. If disallowed then any public
key authentication from the client is rejected. If both password and public
key authentications are disallowed then all client authentication requests
will be rejected. Default is allowed.
Require/Do Not Require
password authentication
ip ssh password-auth-req
ip ssh no password-auth-req
The server requires password authentication before a client is considered
logged in. password-auth must be allowed, otherwise this command has
no effect. If not required, the client can choose whether or not to use
password authentication. Default is not required.
Require/Do Not Require
public key authentication
ip ssh public-key-auth-req
ip ssh no public-key-auth-req
The server requires public key authentication before a client is considered
logged in. Public-key-auth must be allowed, otherwise this command has
no effect. If not required, the client can choose whether or not to use
public key authentication. Default is not required.
Require/Do Not Require
public key authentication
first
ip ssh public-key-auth-first
ip ssh no public-key-auth-first
If both password and public key authentications are required, this
command requires public key authentication to be performed first. If it is
not required then the client can choose in which order to authenticate.
Default is Not Required.
Max number of client
authentication failure
ip ssh max-auth-fail <number>
Server rejects a client authentication if the number of failed
authentication attempt exceeds this number. This counter is for both
public key and password authentication failures. Default is 3.
Allow/Disallow secure CLI
login sessions
ip ssh login
ip ssh no login
Secure CLI login sessions are allowed. If disallowed, then no CLI sessions
are available. Default is allowed.
Allow/Disallow secure port
forwarding
ip ssh port-forwarding
ip ssh no port-forwarding
Port forwarding is allowed. If disallowed, then no port forwarding is
available. Default is allowed.
Allow/Disallow legacy Telnet
connections
ip telnet
ip no telnet
Legacy Telnet sessions on port 23 are allowed. If disallowed, port 23 is
closed and Telnet connection requests are rejected. This command takes
effect immediately. Default is allowed.
Allow/Disallow legacy FTP
connections
ip ftp
ip no ftp
Legacy FTP control connections on port 21 are allowed. If disallowed,
port 21 is closed and FTP control connection requests are rejected. This
command takes effect immediately. Default is allowed.
15-20 ARRIS PROPRIETARY All Rights Reserved 07/05/05
15 Authentication, Authorization, and Accounting (AAA)
NOTE
If the TACACS server is configured for enable authorization, the user will
have the configure privilege level upon logging in.
Also, if a Control Complex failover or switchover occurs, the SSH console
sessions will be lost and must be reestablished.
SSH Server Host Key
Generation Commands
These commands are used to manage the SSH servers host public/private
key pairs. The SSH2 server requires a DSA format key pair. The DSA host
private keys are maintained in the C4 CMTS file system and are accessible
to privileged users only.
SSH Server Configuration
Commands
These commands set the parameters for the SSH server the next time it
runs. If the server is already running, then restart the server with
configure ip ssh restart.
Table 15-5: CLI Commands for Generating SSH Server Host Key
CLI Command Description
configure crypto key generate dsa
Generate the host private/public key pair for the C4 CMTS SSH server. Specify dsa format
for the SSH2 server.
When this command completes, the host public key is copied to file /ssh/id_dsa.pub. The
DSA host public key may be distributed to clients before an SSH session is started. To
maintain security, the host private key should never be copied off the C4 CMTS.
Note well that this command does not start the C4 CMTS SSH server daemon process (see
CLI command configure ip ssh no shutdown). Also, the SSH servers host public/private
key pair(s) must be created before the SSH server is started. This means the DSA key pair
must be created for the SSH2 server. This command does not appear in the show running
config command output.
Prerequisites: the C4 CMTS hostname and domain name SHOULD be set before using this
command (see configure hostname and configure ip dns domain-name). The string
hostname@domain.name will embedded as a comment in the generated key pair(s). A
warning will be issued if the DNS domain name is not set.
configure crypto key zeroize dsa
Delete the SSH servers host public/private key pair(s). This command also removes the
public key copy in /ssh/id_dsa.pub .
If the SSH2 server is running and the DSA key pair is deleted, the server will terminate
immediately.
Prerequisites: it is desirable to use the configure ip ssh shutdown command to stop
the SSH server before deleting any of its host key pairs.
show ssh host public-key dsa
Displays the SSH servers host public key. Specify dsa format. This could be used to cut and
paste the public key into an SSH client via a terminal session. DSA public keys are for SSH2
clients
Note that the SSH servers host public keys are also available for download at
/ssh/id_dsa.pub .
configure ip dns domain-name <name>
Sets the domain name for this C4 CMTS. This command provides optional information for
host key generation. See configure crypto key generate.
C4 CMTS
Release 4.2, Standard ARRIS PROPRIETARY All Rights Reserved 15-21
Table 15-6: CLI Commands for SSH Server Configuration
CLI Command SSH2 Server Parameter Comment
configure ip ssh port <number> TCP port Default is port 22.
configure ip ssh idle-timeout
<minutes>
Session idle timeout
Default is 0 (unlimited). Note well that CLI time is in minutes but
SSH2 server time is in seconds.
configure ip ssh max-clients
<number>
Max SSH clients Default is 0 (unlimited).
configure ip ssh ciphers [aes]
[blowfish] [cast] [arcfour] [3des]
Choice of cipher set (choose
any or all)
Available ciphers are aes, blowfish, cast, arcfour, and 3des.
Default is all ciphers are available.
configure ip ssh [no] password-auth
Allow/Disallow password
authentication
Password authentication is allowed. If disallowed, then any
password authentication from the client is rejected. If both
password and public key authentications are disallowed then all
client authentication requests will be rejected. Default is allowed.
configure ip ssh [no]
password-auth-req
Require/Do Not Require
password authentication
The server requires password authentication before a client is
considered logged in. password-auth must be allowed, otherwise
this command has no effect. If not required, the client can choose
whether or not to use password authentication. Default is not
required.
configure ip ssh [no] public-key-auth
Allow/Disallow user public
key authentication
User public key authentication is allowed. If disallowed then. any
public key authentication from the client is rejected. If both
password and public key authentications are disallowed then all
client authentication requests will be rejected. Default is allowed.
configure ip ssh [no]
public-key-auth-req
Require/Do Not Require
public key authentication
The server requires public key authentication before a client is
considered logged in. public-key-auth must be allowed, otherwise
this command has no effect. If not required, the client can choose
whether or not to use public key authentication. Default is not
required.
configure ip ssh [no]
public-key-auth-first
Require/Do Not Require
public key authentication
first
If both password and public key authentications are required, this
command requires public key authentication to be performed first.
If it is not required then the client can choose in which order to
authenticate. Default is Not Required.
configure ip ssh max-auth-fail
<number>
Max number of client
authentication failures
Server rejects a client authentication if the number of failed
authentication attempt exceeds this number. This counter is for
both public key and password authentication failures. Default is 3.
configure ip ssh [no] login
Allow/Disallow CLI login
sessions
CLI login sessions are allowed. If disallowed, then no CLI access is
available. Default is allowed.
configure ip ssh [no] port-forwarding
Allow/Disallow secure port
forwarding
Port forwarding is allowed. If disallowed, then no port forwarding is
available. Default is allowed.
configure ip [no] telnet
Allow/Disallow legacy Telnet
connections
Legacy Telnet sessions on port 23 are allowed. If disallowed, port
23 is closed and Telnet connection requests are rejected. Default is
allowed.
configure ip [no] ftp
Allow/Disallow legacy FTP
connections
Legacy FTP control connections on port 21 are allowed. If
disallowed, port 21 is closed and FTP control connection requests
are rejected. Default is allowed.
15-22 ARRIS PROPRIETARY All Rights Reserved 07/05/05
15 Authentication, Authorization, and Accounting (AAA)
SSH Server Operation and
Maintenance Commands
These commands start, stop, and monitor the C4 CMTS SSH server and its
running sessions.
In-Band Management with ACLs
Introduction The Cadant C4 CMTS offers enhanced network management with
controlled access to the SCM via standard Access Control Lists (ACLs) for
CMTS administrators. This feature provides:
IP connectivity to the SCM through the client cards (NAM and CAM)
The ability to permit or deny access to the SCM via the client cards
from specified subnet or host addresses.
Table 15-7: CLI Commands for SSH Server Operation and Maintenance
Command Description
configure ip ssh no shutdown
Starts the SSH servers daemon process ipssh. This command will fail if the SSH2 servers
DSA host key pair is not available.
configure ip ssh shutdown
Stops the SSH servers daemon process ipssh. All active SSH sessions are killed.
Use the configure disconnect ssh command to terminate individual running SSH
sessions.
configure ip ssh restart
Stops the SSH servers demon process, kills all SSH sessions, and automatically restarts the
SSH daemon process. May be used to restart the SSH server from within an SSH session
(which will be killed). This is the equivalent of configure ip ssh shutdown followed by
configure ip ssh no shutdown.
show ip ssh
View all running SSH sessions. This command displays the connection id, the user id, the
client IP address), Authentication method (password or public key), encryption algorithm,
MAC algorithm, and the client software version.
show ip ssh config
View the SSH2 server operating parameters. This command displays the settings for the
bind address, port number, idle time, max clients, max shells, supported encryption and
MAC algorithms, service terminal, port forwarding, password allowed, password required,
public key allowed, public key required, public key first, and max number of authentication
failures.
configure disconnect ip ssh <connection id> Kills a running SSH session identified by connection id.