Difference between revisions of "Remote access"
|Line 1:||Line 1:|
== SSH ==
== SSH ==
=== Enabling SSH ===
=== Enabling SSH ===
Latest revision as of 20:59, 3 July 2019
- 1 SSH
- 2 Telnet
Enabling SSH only requires you to add
service ssh port NN, where 'NN' is the port you want SSH to listen on. By default, SSH runs on port 22.
email@example.com# set service ssh port 22  firstname.lastname@example.org# commit  email@example.com# save Saving configuration to '/config/config.boot'... Done  firstname.lastname@example.org#
Specify the IPv4 listening address for connection requests. Multiple
listen-address nodes can be defined.
set service ssh listen-address <IPv4>
SSH key Authentication
It is highly recommended to use SSH Key authentication. By default there is only one user (
vyos), and you can assign any number of keys to that user.
You can generate a ssh key with the
ssh-keygen command on your local machine, which will (by default) save it as
~/.ssh/id_rsa.pub which is in three parts:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAfzTZHsOBZTkqSgNmQnW2O7K7sF4TeGWfq...VByBD5lKwEWB email@example.com
Only the type (
ssh-rsa) and the key (
AAAB3N...) are used. Note that the key will usually be several hundred characters long, and you will need to copy and paste it. Some terminal emulators may accidentally split this over several lines. Be attentive when you paste it that it only pastes as a single line.
The third part is simply an identifier, and is for your own reference.
Assign SSH Key to user
Under the user (in this example, 'vyos'), add the public key and the type. The 'identifier' is simply a string that is relevant to you.
set system login user vyos authentication public-keys identifier key "AAAAB3Nz...." set system login user vyos authentication public-keys identifier type ssh-rsa" commit save
You can assign multiple keys to the same user by changing the identifier. In the following example, both Unicron and xrobau will be able to SSH into VyOS as the 'vyos' user using their own keys.
set system login user vyos authentication public-keys unicron key "AAAAB3Nz...." set system login user vyos authentication public-keys unicron type ssh-rsa set system login user vyos authentication public-keys xrobau key "AAAAQ39x...." set system login user vyos authentication public-keys xrobau type ssh-rsa
Additional config options
Allow root login
Can be set to allow root logins on SSH connections, however it is not advisable to use this setting as this bears serious security risks. The default system user posesses all required privileges.
set service ssh allow-root
A number of allowed ciphers can be specified as a comma-separated list.
set service ssh ciphers <cipher>
Disable password authentication
If SSH key authentication is set up, password-based user authetication can be disabled.
set service ssh disable-password-authentication
Disable host validation
Disable the host validation through reverse DNS lookups.
set service ssh disable-host-validation
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated.
set service ssh macs <macs>
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, hmac-sha2-256, hmac-sha2-512, hmac-sha1
Enabling Telnet access
Accept Telnet connections, default port 23.
set service telnet
Specify the IPv4 address used to accept Telnet connections. Multiple
listen-address nodes can be configured.
set service telnet listen-address <IPv4>
Specify the port used for Telnet connections. Available port range is 1...65534.
set service telnet port <port>
Allow root logins. This may pose a security risk and is stongly discouraged.
set service telnet allow-root
Create Telnet session to a remote host