Applies To:Show Versions
BIG-IQ Centralized Management
- 8.2.0, 8.1.0, 8.0.0
Managing SSH Profiles
About SSH profiles
Create SSH profiles
- ClickCreate.The New SSH Profile screen opens with the Properties tab displayed.
- In theNamefield, type a name for the SSH profile.
- In theDescriptionfield, type an optional description for the SSH profile.
- If needed, change the defaultCommonpartition in thePartitionfield.The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
- In theLang Env Tolerancefield, select which connections withLANGenvironment variables set are allowed to pass through if the SSH Proxy profile has theOtherchannel type permission (in the SSH Proxy Permissions rules) set toDisalloworTerminate.This setting is supported with BIG-IP devices version 14.0 or later.
- To allow connections with anyLANGenvironment value set, selectAny.
- To allow only connections with theLANGenvironment variable set toen_US.UTF-8to pass through theOtherrestrictions, selectCommon.
- To disallow all connections with theLANGenvironment variable set, selectNone.
- In theTimeoutfield, if the default value of 0 is not appropriate, type how long, in seconds, before the connection times out.
- ClickSave & Closeto save the SSH profile and return to the SSH Profiles screen.
Configure SSH proxy permissions
- Click the name of the SSH profile for which you want to configure permissions.
- On the left, clickSSH Proxy Permissions, and then click theCreate Rulebutton.Each SSH profile has the rule DEFAULT ACTIONS defined, which initially allows all listed permissions for all users with no logging enabled. You can modify the permission and logging options for the DEFAULT ACTIONS rule. Review the DEFAULT ACTIONS rule before you create a new rule for specific users.A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
- Click the pencil icon next to the name of the rule to edit the default rule properties.
- In theNamefield, type a more meaningful name for the rule.
- Create the list of SSH user accounts handled by the rule, by adding and removing those accounts from theUserscolumn.
- Add a new SSH user account to the list by typing the account name in the emptyUsersfield, and then clickingAddto the right of that field.
- Delete an existing SSH user account from the list by clickingXto the right of the user account.
- Review and, if needed, modify each SSH channel action. You can set each of the SSH channel actions listed in the table columns (such asShell, orSub System) to one of these options:
- Allowpermits the session to be set up for the SSH channel action. This is the default.
- Disallowdenies an SSH channel action, and sends acommand not acceptedmessage. Note that many SSH clients disconnect when this occurs.
- Terminateends an SSH connection by sending a reset message when a channel action is received.
- Unspecifiedindicates that the DEFAULT ACTIONS rule value be used for the rule. The DEFAULT ACTIONS rule is shown at the bottom of the rule list.
- To enable logging for any action, select theLogcheck box below the SSH channel action.
- Review your settings, and clickSave.
Configure SSH authentication keys
- Log in to the BIG-IQ Centralized Management system with your user name and password.
- At the top left of the screen, selectNetwork Securityfrom the BIG-IQ menu.
- ClickShared Securityfrom the top menu bar, and then from the list on the left, clickSSH Profiles.
- Click the name of the SSH profile on which you want to configure authentication keys.
- Click the Key Management tab and clickAdd.A popup screen opens where you supply authentication key information.
- In theNamefield, type a name for the authentication information.
- Supply the public, and if needed, private keys for the authentication types to be used in the fields provided.Proxy client authentication and Proxy server authentication require both a public and a private key. Real server authentication requires only a public key. Refer to the BIG-IP AFM documentation on how to generate and use these keys.
- ClickAddto add the new authentication information and close the popup screen.
- Review your settings, and clickSave.