Remote access

From VyOS Wiki
Jump to: navigation, search

SSH

Enabling SSH

Enabling SSH only requires you to add service ssh port NN, where 'NN' is the port you want SSH to listen on. By default, SSH runs on port 22.

vyos@example.com# set service ssh port 22
[edit]
vyos@example.com# commit
[edit]
vyos@example.com# save
Saving configuration to '/config/config.boot'...
Done
[edit]
vyos@example.com#

Listening address

Specify the IPv4 listening address for connection requests. Multiple listen-address nodes can be defined.

set service ssh listen-address <IPv4>

SSH key Authentication

It is highly recommended to use SSH Key authentication. By default there is only one user (vyos), and you can assign any number of keys to that user.

You can generate a ssh key with the ssh-keygen command on your local machine, which will (by default) save it as ~/.ssh/id_rsa.pub which is in three parts:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAfzTZHsOBZTkqSgNmQnW2O7K7sF4TeGWfq...VByBD5lKwEWB username@host.example.com

Only the type (ssh-rsa) and the key (AAAB3N...) are used. Note that the key will usually be several hundred characters long, and you will need to copy and paste it. Some terminal emulators may accidentally split this over several lines. Be attentive when you paste it that it only pastes as a single line.

The third part is simply an identifier, and is for your own reference.

Assign SSH Key to user

Under the user (in this example, 'vyos'), add the public key and the type. The 'identifier' is simply a string that is relevant to you.

set system login user vyos authentication public-keys identifier key "AAAAB3Nz...."
set system login user vyos authentication public-keys identifier type ssh-rsa"
commit
save

You can assign multiple keys to the same user by changing the identifier. In the following example, both Unicron and xrobau will be able to SSH into VyOS as the 'vyos' user using their own keys.

set system login user vyos authentication public-keys unicron key "AAAAB3Nz...."
set system login user vyos authentication public-keys unicron type ssh-rsa
set system login user vyos authentication public-keys xrobau key "AAAAQ39x...."
set system login user vyos authentication public-keys xrobau type ssh-rsa

Additional config options

Allow root login

Can be set to allow root logins on SSH connections, however it is not advisable to use this setting as this bears serious security risks. The default system user posesses all required privileges.

set service ssh allow-root

Allowed ciphers

A number of allowed ciphers can be specified as a comma-separated list.

set service ssh ciphers <cipher>

Available ciphers:

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • arcfour128
  • arcfour256
  • arcfour
  • blowfish-cbc
  • cast128-cbc

Disable password authentication

If SSH key authentication is set up, password-based user authetication can be disabled.

set service ssh disable-password-authentication

Disable host validation

Disable the host validation through reverse DNS lookups.

set service ssh disable-host-validation

MAC algorithms

Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated.

set service ssh macs <macs>

Supported MACs:

  • hmac-md5
  • hmac-md5-96
  • hmac-ripemd160
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha2-256
  • hmac-sha2-512
  • umac-64@openssh.com
  • umac-128@openssh.com
  • hmac-md5-etm@openssh.com
  • hmac-md5-96-etm@openssh.com
  • hmac-ripemd160-etm@openssh.com
  • hmac-sha1-etm@openssh.com
  • hmac-sha1-96-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • umac-64-etm@openssh.com
  • umac-128-etm@openssh.com

Default:

umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1

Telnet

Enabling Telnet access

Accept Telnet connections, default port 23.

set service telnet

Listening address

Specify the IPv4 address used to accept Telnet connections. Multiple listen-address nodes can be configured.

set service telnet listen-address <IPv4>

Port

Specify the port used for Telnet connections. Available port range is 1...65534.

set service telnet port <port>

Allow root

Allow root logins. This may pose a security risk and is stongly discouraged.

set service telnet allow-root

Create Telnet session to a remote host

telnet <address>