Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

SSH configuration for Brocade MLX

Written by Arnaud no comments

Enable SSH

crypto key generate rsa modulus 2048
write mem
sync-standby

 

Disable SSH

This is definitely a bad idea!
The "best" to disable ssh, is to remove the host keys :

crypto key zeroize

Aha, you should disable telnet (but it's not enableb by default,unlike cisco!) :

no telnet server

 

Add a public key to log in without password

You have to "convert" manually your public key : 

cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA88pt28yU5jq4KZQ88nKsl2iYMhxatRv742Ak52c8/qIqivw+Drs9/r4ggnjCBrQ8+nycmc3Qe
DsAa7ci3bXUYebYHAuNbOF9QKJst2SquFSGUu5kGGDxNhdiYdVVuqH/DEzXN+CXaLexykSPfe/YpHRhHVK4Zhv1Vbr8pmLTtaOBep
dCUE+s9anqzDHRIfm6b/3XJSLlXx95mi4Yj/0BEM6SYHzsAr0jhlfvbA84HZpzQBrEi7dHrylm6UDtPXSWkZq3Ki+rMED6ZUUjWVL
O0YuVq5NJi9EkgbVSbhK+hr9BndLOpl0jUrjxHT4mtz7p+RTM5Wm3G7AB54LzNhxHWQ== afenioux@franceix.net

becomes :

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "afenioux@franceix.net"
AAAAB3NzaC1yc2EAAAABIwAAAQEA88pt28yU5jq4KZQ88nKsl2iYMhxatRv742Ak52c8/qIqivw+Drs9/r4ggnjCBrQ8+nycmc3Qe
DsAa7ci3bXUYebYHAuNbOF9QKJst2SquFSGUu5kGGDxNhdiYdVVuqH/DEzXN+CXaLexykSPfe/YpHRhHVK4Zhv1Vbr8pmLTtaOBep
dCUE+s9anqzDHRIfm6b/3XJSLlXx95mi4Yj/0BEM6SYHzsAr0jhlfvbA84HZpzQBrEi7dHrylm6UDtPXSWkZq3Ki+rMED6ZUUjWVL
O0YuVq5NJi9EkgbVSbhK+hr9BndLOpl0jUrjxHT4mtz7p+RTM5Wm3G7AB54LzNhxHWQ==
---- END SSH2 PUBLIC KEY ----

You have to put ALL the allowed public keys in the same file, they will be deleted otherwise! 

ip ssh pub-key-file tftp 10.10.10.10 pkeys.txt

Remove all the clients keys :

 ip ssh pub-key remove

 

ACL on SSH

access-list 22 permit host 192.0.2.1
access-list 22 permit 10.10.0.0/16
ssh access-group 22

and obviously we think to l'IPv6

ipv6 access-list acl-ssh-in
  permit ipv6 2001:db8::/32 any
exit
ssh access-group ipv6 acl-ssh-in

 

 

About SSH

see actives connections :

sh ip ssh

see parameters : 

sh ip ssh config

list of authorized (public) keys :

sh ip client-pub-key

SCP

SCP is enable by default... just use it!

Classified in : MISC Tags : none
Rss feed of the category