Manual Chapter : Managing SSH Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Managing SSH Profiles in Shared Security

About SSH profiles

You can configure SSH profiles to manage SSH connections. Once the SSH profile is created, you assign it to a virtual server. You enable logging for SSH proxies using logging profiles.
You use the BIG-IQ Centralized Management system to manage SSH profiles for BIG-IP devices running version 12.1.1 HF1, or later. For additional details about SSH proxy security, refer to the BIG-IP documentation.

Create SSH profiles

You create SSH proxy profiles to manage user access through SSH connections. This includes selecting what commands are available to users within an SSH connection.
  1. Log in to the BIG-IQ Centralized Management system with your user name and password.
  2. At the top left of the screen, select
    Network Security
    from the BIG-IQ menu.
  3. Click
    Shared Security
    from the top menu bar, and then from the list on the left, click
    SSH Profiles
    .
  4. Click
    Create
    .
    The SSH Profiles - New Item screen opens with the Properties tab displayed.
  5. In the
    Name
    field, type a name for the SSH profile.
  6. In the
    Description
    field, type an optional description for the SSH profile.
  7. If needed, change the default
    Common
    partition in the
    Partition
    field.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  8. In the
    Lang Env Tolerance
    field, select which connections with
    LANG
    environment variables set are allowed to pass through if the SSH Proxy profile has the
    Other
    channel type permission (in the SSH Proxy Permissions rules) set to
    Disallow
    or
    Terminate
    .
    This setting is supported with BIG-IP devices version 14.0 or later.
    • To allow connections with any
      LANG
      environment value set, select
      Any
      .
    • To allow only connections with the
      LANG
      environment variable set to
      en_US.UTF-8
      to pass through the
      Other
      restrictions, select
      Common
      .
    • To disallow all connections with the
      LANG
      environment variable set, select
      None
      .
  9. In the
    Timeout
    field, if the default value of 0 is not appropriate, type how long, in seconds, before the connection times out.
  10. Click
    Save & Close
    to save the SSH profile and return to the SSH Profiles screen.
The SSH profile has been created.
You add SSH proxy permissions and authentication keys to the SSH profile, as needed, to make it complete. Once complete, you can add the SSH profile to an appropriate virtual server.

Configure SSH proxy permissions

You must create an SSH profile before you can configure the permissions for that profile.
You configure rules for SSH proxy permissions for the SSH profile. These rules specify what channel actions are allowed for all users and for selected users. A
channel action
is an action on a channel, A single SSH connection may contain multiple channels and actions, such as
Shell
,
SCP Up
, and others. The channel actions you can use in rules are shown in columns in the user interface.
  1. Click
    Configuration
    SECURITY
    Shared Security
    SSH Profiles
    .
  2. Click the name of the SSH profile for which you want to configure permissions.
  3. On the left, click
    SSH Proxy Permissions
    , and then click the
    Create Rule
    button.
    Each SSH profile has the rule DEFAULT ACTIONS defined, which initially allows all listed permissions for all users with no logging enabled. You can modify the permission and logging options for the DEFAULT ACTIONS rule. Review the DEFAULT ACTIONS rule before you create a new rule for specific users.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  4. Click the pencil icon next to the name of the rule to edit the default rule properties.
  5. In the
    Name
    field, type a more meaningful name for the rule.
  6. Create the list of SSH user accounts handled by the rule, by adding and removing those accounts from the
    Users
    column.
    • Add a new SSH user account to the list by typing the account name in the empty
      Users
      field, and then clicking
      Add
      to the right of that field.
    • Delete an existing SSH user account from the list by clicking
      X
      to the right of the user account.
  7. Review and, if needed, modify each SSH channel action. You can set each of the SSH channel actions listed in the table columns (such as
    Shell
    , or
    Sub System
    ) to one of these options:
    • Allow
      permits the session to be set up for the SSH channel action. This is the default.
    • Disallow
      denies an SSH channel action, and sends a
      command not accepted
      message. Note that many SSH clients disconnect when this occurs.
    • Terminate
      ends an SSH connection by sending a reset message when a channel action is received.
    • Unspecified
      indicates that the DEFAULT ACTIONS rule value be used for the rule. The DEFAULT ACTIONS rule is shown at the bottom of the rule list.
  8. To enable logging for any action, select the
    Log
    check box below the SSH channel action.
  9. Review your settings, and click
    Save
    .
The SSH proxy permissions are defined for the SSH profile.
If they are not already defined, you can now configure the authentication keys to complete the SSH profile.

Configure SSH authentication keys

You must create an SSH profile before you can configure the authentication keys for that profile.
You use the Key Management tab to configure authentication key information for the SSH profile, such as proxy client authentication, proxy server authentication, and real server authentication.
  1. Log in to the BIG-IQ Centralized Management system with your user name and password.
  2. At the top left of the screen, select
    Network Security
    from the BIG-IQ menu.
  3. Click
    Shared Security
    from the top menu bar, and then from the list on the left, click
    SSH Profiles
    .
  4. Click the name of the SSH profile on which you want to configure authentication keys.
  5. Click the Key Management tab and click
    Add
    .
    A popup screen opens where you supply authentication key information.
  6. In the
    Name
    field, type a name for the authentication information.
  7. Supply the public, and if needed, private keys for the authentication types to be used in the fields provided.
    Proxy client authentication and Proxy server authentication require both a public and a private key. Real server authentication requires only a public key. Refer to the BIG-IPAFM documentation on how to generate and use these keys.
  8. Click
    Add
    to add the new authentication information and close the popup screen.
  9. Review your settings, and click
    Save
    .
The authentication keys are defined for the SSH profile.
If not already defined, you can now configure the SSH proxy permissions to complete the SSH profile.