SSH
The SSH, or Secure Shell, protocol is a cryptographic network protocol, allowing secure remote login by establishing a secure channel between an SSH client and an SSH server. SSH can also be used to run CLI commands.
SSH uses host keys to uniquely identify each SSH server. Host keys are used for server authentication and identification. A secure unit permits users to create or delete RSA or DSA keys for the SSH2 protocol.
Note: Only SSH2 is supported due to vulnerabilities in the SSH1 protocol.
The SSH tools supported by NetClock are:
- SSH: Secure Shell
- SCP: Secure Copy
- SFTP: Secure File Transfer Protocol
NetClock implements the server components of SSH, SCP, and SFTP.
For more information on OpenSSH, please refer to www.openssh.org.
To configure SSH:
- Navigate to MANAGEMENT > NETWORK: SSH Setup. The SSH Setup window will display.
- Host Keys: SSH uses Host Keys to uniquely identify each SSH server. Host keys are used for server authentication and identification.
- Public Key: This is a text field interface that allows the user to edit the public key files
authorized_keys
file.
The window contains two tabs:
Note: Should you exit the SSH Setup window (by clicking X in the top right corner of the window, or by clicking anywhere outside of the window), while filling out the Certificate Request Parameters form before clicking Submit, any information you entered will be lost. When switching between tabs within the SSH Setup window, however, the information you have entered will be retained.
You may choose to delete individual RSA or DSA host keys. Should you decide to delete the RSA or DSA key, the SSH will function, but that form of server authentication will not be available. Should you delete both the RSA and DSA keys, SSH will not function. In addition, if SSH host keys are being generated at the time of deletion, the key generation processes are stopped, any keys created will be deleted, and all key bit sizes are set to 0.
You may choose to delete existing keys and request the creation of new keys, but it is often simpler to make these requests separately.
You can create individual RSA and DSA Host Public/Private Key pairs. Host keys must first be deleted before new Host Keys can be created.
NetClock units have their initial host keys created at the factory. RSA host key sizes can vary between 768 and 4096 bits. The recommended key size is 1024. Though many key sizes are supported, it is recommended that users select key sizes that are powers of 2 or divisible by 2. The most popular sizes are 768, 1024, and 2048. Large key sizes of up to 4096 are supported, but may take 10 minutes or more to generate. DSA keys size support is limited to 1024 bits.
Host keys are generated in the background. Creating RSA and DSA keys, each with 1024 bits length, typically takes about 30 seconds. Keys are created in the order of RSA, DSA, RSA. When the keys are created, you can successfully make SSH client connections. If the unit is rebooted with host key creation in progress, or the unit is booted and no host keys exist, the key generation process is restarted. The key generation process uses either the previously specified key sizes or, if a key size is undefined, the default key bit length size used is 2048. A key with a zero length or blank key size field is not created.
The SSH client utilities SSH, SCP, and SFTP allow for several modes of user authentication. SSH allows you to remotely login or transfer files by identifying your account and the target machine's IP address. As a user you can authenticate yourself by using your account password, or by using a Public Private Key Pair.
It is advisable to keep your private key secret within your workstation or network user account, and provide the NetClock a copy of your public key. The modes of authentication supported include:
- Either Public Key with Passphrase or Login Account Password
- Login Account Password only
- Public Key with Passphrase only
SSH using public/private key authentication is the most secure authenticating method for SSH, SCP or SFTP sessions.
You are required to create private and public key pairs on your workstation or within a private area in your network account. These keys may be RSA or DSA and may be any key bit length as supported by the SSH client tool. These public keys are stored in a file in the .ssh
directory named authorized_keys
. The file is to be formatted such that the key is followed by the optional comment with only one key per line.
Note: The file format, line terminations, and other EOL or EOF characters should correspond to UNIX conventions, not Windows.
You may change the key length of the RSA, DSA, ECDSA
To change the key length of a host key:
- Navigate to MANAGEMENT > NETWORK: SSH Setup. The SSH Setup window will open to the Host Keys tab by default.
- Select the Key Length value for the key type you want to change.
- Check the Regenerate All Keys box.
- Click Submit. The new values will be saved.
Key sizes that are powers of 2 or divisible by 2 are recommended. The most popular sizes are 768, 1024, and 2048. Large key sizes of up to 4096 are supported, but may take 10 minutes or more to generate. DSA keys size support is limited to 1024 bits. The key type ED25519 supports 256 bits.
Note: Changing the values and submitting them in this manner DOES NOT generate new host public/private key pairs. See Creating Host Public/Private Key Pairs for information on how to create new host public/private key pairs.
You may create individual Host Public/Private Key pairs. Host keys must first be deleted before new Host Keys can be created. To create a new set of host keys:
- To access the SSH setup screen, navigate to MANAGEMENT > NETWORK: SSH Setup. The window will open to the Host Keys tab by default.
- Should you want to change the key length of any host key, enter the desired length in the text field corresponding to the length you wish to change.
- Check the Regenerate All Keys box.
- Click Submit.
The Key Type/Status/Action table will temporarily disappear while the NetClock regenerates the keys. The Host keys are generated in the background. Creating RSA and DSA keys, each with 1024 bits length, typically takes about 30 seconds. Keys are created in the order of RSA, DSA, ECDSA, ED25519. NetClock will generate all 4 host keys, RSA, DSA, ECDSA, and ED25519.
- Delete any of the keys you do not want. See Deleting Host Keys.
Note: If the unit is rebooted with host key creation in progress, or the unit is booted and no host keys exist, the key generation process is restarted. The key generation process uses the previously specified key sizes.
Note: If a key size is undefined, the default key bit length size used is 2048. A key with a zero length or blank key size field will not be created.
When you delete a host key and recreate a new one, SSH client sessions will warn you that the host key has changed for this particular IP address. You must then take one of the following actions:
- Override the warning and accept the new Public Host Key and start a new connection. This is the default. This option allows users to login using either method. Whichever mode works is allowed for logging in. If the Public Key is not correct or the Passphrase is not valid the user is then prompted for the login account password.
- Remove the old Host Public Key from their client system and accept the new Host Public Key. This option simply skips public/private key authentication and immediately prompts the user for password over a secure encrypted session avoiding sending passwords in the clear.
- Load a public key into NetClock. This public key must match the private key found in the users account and be accessible to the SSH, SCP, or SFTP client program. The user must then enter the Passphrase after authentication of the keys to provide the second factor for 2-factor authentication.
Please consult your specific SSH client’s software’s documentation.
The authorized_keys
file can be viewed and edited, so as to enable adding and deleting Public Keys. The user may also retrieve the authorized_keys
file from the .ssh directory Using FTP, SCP, or SFTP.
If you want to completely control the public keys used for authentication, a correctly formatted authorized_keys
file formatted as indicated in the OpenSSH web site can be loaded onto NetClock. You can transfer a new public key file using the Web UI.
To view and edit the authorized_keys
file:
- Navigate to MANAGEMENT > NETWORK: SSH Setup. The SSH Setup window will open to the Host Keys tab by default.
- Select the Public Key tab. The
authorized_keys
file appears in the Public Keys File window: - Edit the
authorized_keys
file as desired. - Click the Submit button or Apply button.
The file is to be formatted such that the key is followed by an optional comment, with only one key per line. The file format, line terminations, and other EOL or EOF characters should correspond to UNIX conventions, not Windows.
Note: If you delete ALL Public Keys, Public/Private Key authentication is disabled. If you have selected SSH authentication using the Public Key with Passphrase option, login and file transfers will be forbidden. You must select a method allowing the use of account password authentication to enable login or file transfers using SCP or SFTP.
Secure shell sessions using an SSH client can be performed using the admin or a user-defined account. The user may use Account Password or Public Key with Passphrase authentication. The OpenSSH tool SSH-KEYGEN may be used to create RSA and DSA keys used to identify and authenticate user login or file transfers.
The following command lines for OpenSSH SSH client tool are given as examples of how to create an SSH session.
Creating an SSH session with Password Authentication for the admin account
ssh spadmin@10.10.200.5
spadmin@10.10.200.5's password: admin123
You are now presented with boot up text and/or a “>” prompt which allows the use of the Orolia command line interface.
Creating an SSH session using Public Key with Passphrase Authentication for the admin account
You must first provide the secure Orolia product a RSA public key found typically in the OpenSSH id_rsa.pub file. Then you may attempt to create an SSH session.
ssh -i ./id_rsa spadmin@10.10.200.5
Enter passphrase for key './id_rsa': mysecretpassphrase
Please consult the SSH client tool’s documentation for specifics on how to use the tool, select SSH protocols, and provide user private keys.
NetClock provides secure file transfer capabilities using the SSH client tools SCP and SFTP. Authentication is performed using either Account Passwords or Public Key with Passphrase.
Example output from OpenSSH, SCP, and SFTP client commands are shown below.
Perform an SCP file transfer to the device using Account Password authentication
scp authorized_keys scp@10.10.200.5:.ssh
spadmin@10.10.200.135's password: admin123
publickeys 100% |***************************************************| 5 00:00
Perform an SCP file transfer to the device using Public Key with Passphrase authentication.
scp -i ./id_rsa spadmin@10.10.200.5:.ssh
Enter passphrase for key './id_rsa': mysecretpassphrase
publickeys 100% |***************************************************| 5 00:00
Perform an SFTP file transfer to the device using Account Password authentication.
sftp spadmin@10.10.200.5
spadmin@10.10.200.135's password: admin123
You will be presented with the SFTP prompt allowing interactive file transfer and directory navigation.
Perform an SFTP file transfer to the device using Public Key with Passphrase authentication
sftp -i ./id_rsa spadmin@10.10.200.5
Enter passphrase for key './id_rsa': mysecretpassphrase
You will be presented with the SFTP prompt allowing interactive file transfer and directory navigation.
Orolia does not make any recommendations for specific SSH clients, SCP clients, or SFTP client tools. However, there are many SSH based tools available to the user at low cost or free.
Two good, free examples of SSH tool suites are the command line based tool OpenSSH running on a Linux or OpenBSD x86 platform and the SSH tool suite PuTTY.
The OpenSSH tool suite in source code form is freely available at www.openssh.org though you must also provide an OpenSSL library, which can be found at www.openssl.org.
PuTTY can be found at: http://www.chiark.greenend.org.uk/~sgtatham/putty/.
The keep-SSH alive timeout is hard-set to 60 minutes (3600 seconds). This value is not configurable.