Release 4.2, Standard ARRIS PROPRIETARY All Rights Reserved 15-17
Procedure 15-1 Setting up SSH on the C4 CMTS 1 Create the directory /system/sec/ssh/server 2 Execute the command: configure crypto key generate dsa 3 Execute the command: configure ip ssh no shutdown 4 Execute the command: configure ip ssh restart End of procedure Procedure 15-2 PuTTY, SSH, Public Key Authentication Follow this procedure if you wish to connect securely to the C4 CMTS using PuTTY and SSH with public key authentication: 1 Telnet to a Unix machine which is configured with openSSL crypto and ssh- keygen utilities. login: serial pwd: serial 2 Execute the command: ssh-keygen -t dsa -f id_dsa.pem The file id_dsa.pem will be the private key file. If id_dsa.pem already exists, overwrite it. 3 You will be prompted for a pass phrase. If you want to be prompted for this pass phrase when you authenticate to the C4 CMTS, enter one. If not, you can hit enter twice. The pass phrase is the SSH password; it must be at least 4 characters long. 4 Execute the command: openssl dsa -in id_dsa.pem -outform PEM -pubout -out <username>.pem Replace <username> with the desired username, for example, C4. If you entered a pass phrase when the key was created, you will be prompted to enter it again. 15-18 ARRIS PROPRIETARY All Rights Reserved 07/05/05 15 Authentication, Authorization, and Accounting (AAA) 5 A file will be created called "<username>.pem". This is this user's public key file and must be FTP'd to the C4 CMTS running SSH. Place the file in /system/sec/ssh/user. You may have to create the /user directory. 6 At the C4 CMTS, restart the SSH server: configure ip ssh restart 7 From your PC, run PuTTYgen. PuTTYgen can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 8 On the menu bar select Conversions --> import key. Open the private key file you created above called id_dsa.pem. If you entered a pass phrase when the key was created you will be prompted to enter it again. 9 Click the "Save private key" button to save the private key file with a ".ppk" extension; call it <username>.ppk or something that correlates it with the username you entered above. This is PuTTY's private key file format and is different from OpenSSH and ssh.com (IETF SECSH). 10 From your PC, open PuTTY. Create a profile for connecting to the SSH server. On the left side of the PuTTY window you will see a pane called Category. Select Connection --> SSH --> Auth, and in the Private key file for authentication browse to the public key file (the .ppk file you converted with PuTTYgen). Go back to 'Sessions'. Enter the IP address, SSH, Name of 'Saved Session' file and save your profile. 11 Connect to the C4. Login with <username>, whatever filename you called the .pem public key file you FTPd to the C4 CMTS. If you entered a pass phrase you will be prompted to enter this as well. Proceed to login to the C4 CMTS in the same way as with telnet. End of procedure Storing Server Private Keys To store a private key to the Cadant C4 CMTS follow these steps: 1 Only a DER-encoded key is supported by the C4 CMTS. Openssh and SSH2/IETF key formats are not supported in software release 4.2. DER-encoded keys must be in PEM format. 2 Update the server DSA format PEM encoded public and private key files into any location on the C4 CMTS. 3 Import the keys into the MIB tables for use during CCR soft-switches with the following commands: configure crypto key import public-key {path}/{filename} configure crypto key import private-key {path}/{filename} 4 Use legacy FTP to upload the servers private key file. C4 CMTS Release 4.2, Standard ARRIS PROPRIETARY All Rights Reserved 15-19 Feature Dependencies No alarms are associated with the C4 CMTS SSH feature. No performance monitoring is provided with the C4 CMTS SSH feature. No new hardware is needed to support this feature. If the SSH server's host public/private DSA key pair is not recovered after a system outage, then a new key pair must be generated before the SSH server can be started. Table 15-4: SSH Server Operating Parameters Parameter CLI Command (config) Comment TCP port ip ssh port <number> Default is port 22. Session idle timeout (minutes) ip ssh idle-timeout <minutes> Default is 0 (unlimited). Note well that CLI time is in minutes but SSH2 server time is in seconds. Max SSH clients ip ssh max-clients <number> Default is 0 (unlimited). Choice of cipher set (choose any or all) ip ssh ciphers [aes] [blowfish] [cast] [arcfour] [3des] Available ciphers are aes, blowfish, cast, arcfour, and 3des. Default is all ciphers are available. Allow/Disallow password authentication ip ssh password-auth ip ssh no password-auth Password authentication is allowed. If disallowed, any password authentication from the client is rejected. If both password and public key authentications are disallowed then all client authentication requests will be rejected. Default is allowed. Allow/Disallow user public key authentication ip ssh public-key-auth ip ssh no public-key-auth User public key authentication is allowed. If disallowed then any public key authentication from the client is rejected. If both password and public key authentications are disallowed then all client authentication requests will be rejected. Default is allowed. Require/Do Not Require password authentication ip ssh password-auth-req ip ssh no password-auth-req The server requires password authentication before a client is considered logged in. password-auth must be allowed, otherwise this command has no effect. If not required, the client can choose whether or not to use password authentication. Default is not required. Require/Do Not Require public key authentication ip ssh public-key-auth-req ip ssh no public-key-auth-req The server requires public key authentication before a client is considered logged in. Public-key-auth must be allowed, otherwise this command has no effect. If not required, the client can choose whether or not to use public key authentication. Default is not required. Require/Do Not Require public key authentication first ip ssh public-key-auth-first ip ssh no public-key-auth-first If both password and public key authentications are required, this command requires public key authentication to be performed first. If it is not required then the client can choose in which order to authenticate. Default is Not Required. Max number of client authentication failure ip ssh max-auth-fail <number> Server rejects a client authentication if the number of failed authentication attempt exceeds this number. This counter is for both public key and password authentication failures. Default is 3. Allow/Disallow secure CLI login sessions ip ssh login ip ssh no login Secure CLI login sessions are allowed. If disallowed, then no CLI sessions are available. Default is allowed. Allow/Disallow secure port forwarding ip ssh port-forwarding ip ssh no port-forwarding Port forwarding is allowed. If disallowed, then no port forwarding is available. Default is allowed. Allow/Disallow legacy Telnet connections ip telnet ip no telnet Legacy Telnet sessions on port 23 are allowed. If disallowed, port 23 is closed and Telnet connection requests are rejected. This command takes effect immediately. Default is allowed. Allow/Disallow legacy FTP connections ip ftp ip no ftp Legacy FTP control connections on port 21 are allowed. If disallowed, port 21 is closed and FTP control connection requests are rejected. This command takes effect immediately. Default is allowed. 15-20 ARRIS PROPRIETARY All Rights Reserved 07/05/05 15 Authentication, Authorization, and Accounting (AAA) NOTE If the TACACS server is configured for enable authorization, the user will have the configure privilege level upon logging in. Also, if a Control Complex failover or switchover occurs, the SSH console sessions will be lost and must be reestablished. SSH Server Host Key Generation Commands These commands are used to manage the SSH servers host public/private key pairs. The SSH2 server requires a DSA format key pair. The DSA host private keys are maintained in the C4 CMTS file system and are accessible to privileged users only. SSH Server Configuration Commands These commands set the parameters for the SSH server the next time it runs. If the server is already running, then restart the server with configure ip ssh restart. Table 15-5: CLI Commands for Generating SSH Server Host Key CLI Command Description configure crypto key generate dsa Generate the host private/public key pair for the C4 CMTS SSH server. Specify dsa format for the SSH2 server. When this command completes, the host public key is copied to file /ssh/id_dsa.pub. The DSA host public key may be distributed to clients before an SSH session is started. To maintain security, the host private key should never be copied off the C4 CMTS. Note well that this command does not start the C4 CMTS SSH server daemon process (see CLI command configure ip ssh no shutdown). Also, the SSH servers host public/private key pair(s) must be created before the SSH server is started. This means the DSA key pair must be created for the SSH2 server. This command does not appear in the show running config command output. Prerequisites: the C4 CMTS hostname and domain name SHOULD be set before using this command (see configure hostname and configure ip dns domain-name). The string hostname@domain.name will embedded as a comment in the generated key pair(s). A warning will be issued if the DNS domain name is not set. configure crypto key zeroize dsa Delete the SSH servers host public/private key pair(s). This command also removes the public key copy in /ssh/id_dsa.pub . If the SSH2 server is running and the DSA key pair is deleted, the server will terminate immediately. Prerequisites: it is desirable to use the configure ip ssh shutdown command to stop the SSH server before deleting any of its host key pairs. show ssh host public-key dsa Displays the SSH servers host public key. Specify dsa format. This could be used to cut and paste the public key into an SSH client via a terminal session. DSA public keys are for SSH2 clients Note that the SSH servers host public keys are also available for download at /ssh/id_dsa.pub . configure ip dns domain-name <name> Sets the domain name for this C4 CMTS. This command provides optional information for host key generation. See configure crypto key generate. C4 CMTS Release 4.2, Standard ARRIS PROPRIETARY All Rights Reserved 15-21 Table 15-6: CLI Commands for SSH Server Configuration CLI Command SSH2 Server Parameter Comment configure ip ssh port <number> TCP port Default is port 22. configure ip ssh idle-timeout <minutes> Session idle timeout Default is 0 (unlimited). Note well that CLI time is in minutes but SSH2 server time is in seconds. configure ip ssh max-clients <number> Max SSH clients Default is 0 (unlimited). configure ip ssh ciphers [aes] [blowfish] [cast] [arcfour] [3des] Choice of cipher set (choose any or all) Available ciphers are aes, blowfish, cast, arcfour, and 3des. Default is all ciphers are available. configure ip ssh [no] password-auth Allow/Disallow password authentication Password authentication is allowed. If disallowed, then any password authentication from the client is rejected. If both password and public key authentications are disallowed then all client authentication requests will be rejected. Default is allowed. configure ip ssh [no] password-auth-req Require/Do Not Require password authentication The server requires password authentication before a client is considered logged in. password-auth must be allowed, otherwise this command has no effect. If not required, the client can choose whether or not to use password authentication. Default is not required. configure ip ssh [no] public-key-auth Allow/Disallow user public key authentication User public key authentication is allowed. If disallowed then. any public key authentication from the client is rejected. If both password and public key authentications are disallowed then all client authentication requests will be rejected. Default is allowed. configure ip ssh [no] public-key-auth-req Require/Do Not Require public key authentication The server requires public key authentication before a client is considered logged in. public-key-auth must be allowed, otherwise this command has no effect. If not required, the client can choose whether or not to use public key authentication. Default is not required. configure ip ssh [no] public-key-auth-first Require/Do Not Require public key authentication first If both password and public key authentications are required, this command requires public key authentication to be performed first. If it is not required then the client can choose in which order to authenticate. Default is Not Required. configure ip ssh max-auth-fail <number> Max number of client authentication failures Server rejects a client authentication if the number of failed authentication attempt exceeds this number. This counter is for both public key and password authentication failures. Default is 3. configure ip ssh [no] login Allow/Disallow CLI login sessions CLI login sessions are allowed. If disallowed, then no CLI access is available. Default is allowed. configure ip ssh [no] port-forwarding Allow/Disallow secure port forwarding Port forwarding is allowed. If disallowed, then no port forwarding is available. Default is allowed. configure ip [no] telnet Allow/Disallow legacy Telnet connections Legacy Telnet sessions on port 23 are allowed. If disallowed, port 23 is closed and Telnet connection requests are rejected. Default is allowed. configure ip [no] ftp Allow/Disallow legacy FTP connections Legacy FTP control connections on port 21 are allowed. If disallowed, port 21 is closed and FTP control connection requests are rejected. Default is allowed. 15-22 ARRIS PROPRIETARY All Rights Reserved 07/05/05 15 Authentication, Authorization, and Accounting (AAA) SSH Server Operation and Maintenance Commands These commands start, stop, and monitor the C4 CMTS SSH server and its running sessions. In-Band Management with ACLs Introduction The Cadant C4 CMTS offers enhanced network management with controlled access to the SCM via standard Access Control Lists (ACLs) for CMTS administrators. This feature provides: IP connectivity to the SCM through the client cards (NAM and CAM) The ability to permit or deny access to the SCM via the client cards from specified subnet or host addresses. Table 15-7: CLI Commands for SSH Server Operation and Maintenance Command Description configure ip ssh no shutdown Starts the SSH servers daemon process ipssh. This command will fail if the SSH2 servers DSA host key pair is not available. configure ip ssh shutdown Stops the SSH servers daemon process ipssh. All active SSH sessions are killed. Use the configure disconnect ssh command to terminate individual running SSH sessions. configure ip ssh restart Stops the SSH servers demon process, kills all SSH sessions, and automatically restarts the SSH daemon process. May be used to restart the SSH server from within an SSH session (which will be killed). This is the equivalent of configure ip ssh shutdown followed by configure ip ssh no shutdown. show ip ssh View all running SSH sessions. This command displays the connection id, the user id, the client IP address), Authentication method (password or public key), encryption algorithm, MAC algorithm, and the client software version. show ip ssh config View the SSH2 server operating parameters. This command displays the settings for the bind address, port number, idle time, max clients, max shells, supported encryption and MAC algorithms, service terminal, port forwarding, password allowed, password required, public key allowed, public key required, public key first, and max number of authentication failures. configure disconnect ip ssh <connection id> Kills a running SSH session identified by connection id.