Manual Chapter : Managing SSH Profiles
Applies To:Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0
Managing SSH Profiles
About SSH profiles
You can configure SSH profiles to manage SSH connections. Once the SSH profile is created, you assign it to a virtual server. You enable logging for SSH proxies using logging profiles.
You use the BIG-IQ Centralized Management system to manage SSH profiles for BIG-IP devices running version 12.1.1 HF1, or later. For additional details about SSH proxy security, refer to the BIG-IP documentation.
Create SSH profiles
You create SSH proxy profiles to manage user access through SSH connections. This includes selecting what commands are available to users within an SSH connection.
- ClickCreate.The New SSH Profile screen opens with the Properties tab displayed.
- In theNamefield, type a name for the SSH profile.
- In theDescriptionfield, type an optional description for the SSH profile.
- If needed, change the defaultCommonpartition in thePartitionfield.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- In theLang Env Tolerancefield, select which connections withLANGenvironment variables set are allowed to pass through if the SSH Proxy profile has theOtherchannel type permission (in the SSH Proxy Permissions rules) set toDisalloworTerminate.This setting is supported with BIG-IP devices version 14.0 or later.
- To allow connections with anyLANGenvironment value set, selectAny.
- To allow only connections with theLANGenvironment variable set toen_US.UTF-8to pass through theOtherrestrictions, selectCommon.
- To disallow all connections with theLANGenvironment variable set, selectNone.
- In theTimeoutfield, if the default value of 0 is not appropriate, type how long, in seconds, before the connection times out.
- ClickSave & Closeto save the SSH profile and return to the SSH Profiles screen.
The SSH profile has been created.
You add SSH proxy permissions and authentication keys to the SSH profile, as needed, to make it complete. Once complete, you can add the SSH profile to an appropriate virtual server.
Configure SSH proxy permissions
You must create an SSH profile before you can configure the permissions for that profile.
You configure rules for SSH proxy permissions for the SSH profile. These rules specify what channel actions are allowed for all users and for selected users. A
channel actionis an action on a channel, A single SSH connection may contain multiple channels and actions, such as
SCP Up, and others. The channel actions you can use in rules are shown in columns in the user interface.
- Click the name of the SSH profile for which you want to configure permissions.
- On the left, clickSSH Proxy Permissions, and then click theCreate Rulebutton.Each SSH profile has the rule DEFAULT ACTIONS defined, which initially allows all listed permissions for all users with no logging enabled. You can modify the permission and logging options for the DEFAULT ACTIONS rule. Review the DEFAULT ACTIONS rule before you create a new rule for specific users.A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
- Click the pencil icon next to the name of the rule to edit the default rule properties.
- In theNamefield, type a more meaningful name for the rule.
- Create the list of SSH user accounts handled by the rule, by adding and removing those accounts from theUserscolumn.
- Add a new SSH user account to the list by typing the account name in the emptyUsersfield, and then clickingAddto the right of that field.
- Delete an existing SSH user account from the list by clickingXto the right of the user account.
- Review and, if needed, modify each SSH channel action. You can set each of the SSH channel actions listed in the table columns (such asShell, orSub System) to one of these options:
- Allowpermits the session to be set up for the SSH channel action. This is the default.
- Disallowdenies an SSH channel action, and sends acommand not acceptedmessage. Note that many SSH clients disconnect when this occurs.
- Terminateends an SSH connection by sending a reset message when a channel action is received.
- Unspecifiedindicates that the DEFAULT ACTIONS rule value be used for the rule. The DEFAULT ACTIONS rule is shown at the bottom of the rule list.
- To enable logging for any action, select theLogcheck box below the SSH channel action.
- Review your settings, and clickSave.
The SSH proxy permissions are defined for the SSH profile.
If they are not already defined, you can now configure the authentication keys to complete the SSH profile.
Configure SSH authentication keys
You must create an SSH profile before you can configure the authentication keys for that profile.
You use the Key Management tab to configure authentication key information for the SSH profile, such as proxy client authentication, proxy server authentication, and real server authentication.
- Log in to the BIG-IQ Centralized Management system with your user name and password.
- At the top left of the screen, selectNetwork Securityfrom the BIG-IQ menu.
- ClickShared Securityfrom the top menu bar, and then from the list on the left, clickSSH Profiles.
- Click the name of the SSH profile on which you want to configure authentication keys.
- Click the Key Management tab and clickAdd.A popup screen opens where you supply authentication key information.
- In theNamefield, type a name for the authentication information.
- Supply the public, and if needed, private keys for the authentication types to be used in the fields provided.Proxy client authentication and Proxy server authentication require both a public and a private key. Real server authentication requires only a public key. Refer to the BIG-IP AFM documentation on how to generate and use these keys.
- ClickAddto add the new authentication information and close the popup screen.
- Review your settings, and clickSave.
The authentication keys are defined for the SSH profile.
If not already defined, you can now configure the SSH proxy permissions to complete the SSH profile.