Applies To:
Show VersionsBIG-IP AFM
- 14.0.1, 14.0.0
SSH Proxy Security
Securing SSH traffic with the SSH Proxy
Why use SSH proxy?
Network attacks are increasingly less visible, cloaked in SSL and SSH channels. The SSH Proxy lets network administrators centrally manage the different uses of SSH, determining who can do what on which servers. Additionally, as the feature is a full proxy, terminating both the client and server sides of the connection, it is possible to inspect traffic before passing it on. This prevents attackers from hiding their activities while still providing legitimate users with secure communications.
Challenges and problems that SSH proxy addresses
- Gives administrators visibility into user command activity in the SSH channel
- Provides fine-grained control of SSH access commands on a per-user basis
- Allows segmentation of access control for different users, allowing, for example, one user to download (but not upload) with SCP, while another user can upload and download with SCP allowing SHELL access only to an administrator, and other examples
- Control over SSH keep-alives that keep a session open indefinitely
Features of SSH Proxy
- Policy based SSH control capability
- Fine-grained control of SSH access on a per-user basis
- Visibility and control of SSH connection
- By controlling the SSH commands and session, the datacenter administrator can prevent advanced attacks from compromising the datacenter
Current limits of SSH Proxy
- Supports SSH version 2.0 or above only
- SSH proxy is supported on a virtual server, not on a route domain or global context
- SSH proxy auth key size is limited to 4K
- Elliptical Curve cypher (ECDHE) SSH keys are not supported for authentication
Using SSH Proxy
- An SSH proxy profile that defines actions for SSH channel commands
- A virtual server for the SSH server, configured for SSH traffic, and including the SSH proxy profile
- Authentication information for the SSH proxy
Proxying SSH traffic with an SSH Proxy profile
SSH proxy permissions
In an SSH proxy profile, you can configure whether to Allow, Disallow, or Terminate SSH proxy permissions. Non-default action rules include an Unspecified option, which means use the Default Action. You can also choose to log the rule actions.
Channel action | Description |
---|---|
Shell | Defines use of the shell command to establish an
interactive terminal (command line) session, or shell, on the remote host. It
determines whether the SSH proxy allows establishing interactive sessions. Note that Shell depends on Other. If Other is disabled, users cannot obtain Shell access. |
Sub System | Defines the use of the subsystem command, to invoke remote commands that are defined on the server over the SSH tunnel. It allows SSH servers to be configured to abstract certain commands and procedures. |
SFTP Up | Defines the use of Secure File Transfer Protocol (sftp) to upload (put) files over the SSH tunnel. |
SFTP Down | Defines the use of Secure File Transfer Protocol (sftp) to download (get) files over the SSH tunnel. |
SCP Up | Defines the use of Secure Copy (scp) to copy files from a local directory to a remote directory over the SSH tunnel. |
SCP Down | Defines the use of Secure Copy (scp) to copy files from a remote directory to a local directory over the SSH tunnel. |
Rexec | Defines the use of rexec remote execution commands over the SSH tunnel. SSH can be configured to deny interactive sessions, while allowing specific commands to execute on the remote host. |
Forward Local | Defines the use of the -L to do local port forwarding over the SSH tunnel. That way, SSH can be used to set up an encrypted tunnel to a remote host. |
Forward Remote | Defines the use of the -R to do remote port forwarding over the SSH tunnel. That way, SSH can be used to set up an encrypted tunnel from a remote host. |
Forward X11 | Defines the use of X11 forwarding over the SSH tunnel. |
Agent | Defines the use of ssh-agent over the SSH tunnel. Agent forwarding specifies that the chain of SSH connections forwards key challenges back to the original agent, removing the need for passwords or private keys on intermediate machines. |
Other | Provides a catch-all category. Any channel type not handled by another permission is handled here. If set to Disallow or Terminate, the following channel types are also affected (Disallowed or Terminated): Shell, Agent, X11, Local port forwarding, and Remote port forwarding.The Lang Env Tolerance setting only takes effect when Other is set to Disallow or Terminate. |
Creating an SSH virtual server with SSH proxy security
Attaching an SSH proxy security profile to an existing virtual server
You can add SSH proxy security to your SSH virtual server with SSH proxy profile.
Authenticating SSH proxy traffic
What SSH authentication methods are supported?
SSH security supports public key authentication, password authentication, and keyboard-interactive authentication.Keyboard-interactive authentication
Keyboard-interactive authentication is a more complex form of password authentication, aimed specifically at the human operator as a client. During keyboard authentication prompts or questions are presented to the user. The user answers each prompt or question. The number and contents of the questions are virtually unlimited, so certain types of automated logins are also possible.
SSH client components support keyboard authentication via the OnAuthenticationKeyboard event. The client application should fill in the Responses parameter of the mentioned event with replies to questions contained in the Prompts parameter. Use echo parameter to specify whether the response is displayed on the screen, or masked. The number of responses must match the number of prompts or questions.
Password authentication
Password authentication is the simplest authentication method. The user specifies a username and password. This authentication method requires only one set of credentials for the user.
Public key authentication
Public key authentication requires that both the SSH client and the SSH server must implement the security keys. With this method, each client must have a key pair generated using a supported encryption algorithm. When authentication occurs, the client sends a public key to the server. If the server finds the key in the list of allowed keys, the client encrypts data using the private key and sends the packet to the server with the public key.
Defining SSH proxy password or keyboard interactive authentication
Defining SSH proxy public key authentication
Authenticating SSH Proxy with the server private key
This task is optional and only applies if the SSH virtual server IP address to which you attach the SSH Proxy profile has the same IP address as the backend SSH server. Clients connect directly to the backend SSH server address via the SSH proxy in the middle.
Logging SSH Proxy actions
You can use a local logging profile and Proxy to secure SSH traffic on a virtual server, on a per-user basis. You do this by creating an SSH proxy profile and attaching it to a virtual server. You must also provide the server public and private keys for the encrypted traffic.
Creating a publisher to send log messages to the local Syslog database
Create and associate a logging profile for SSH proxy events
Example: Securing SSH traffic with the SSH Proxy
In this example, you create an SSH proxy configuration, create a virtual server for SSH traffic, and apply the SSH proxy to the virtual server. This example contains IP addresses and public and private keys that do not apply to your configuration, but are included for example purposes only.
In this configuration, password or keyboard interactive authentication is used, and the SSH proxy policy disallows SCP downloads and uploads, and terminates the tunnel connection on a REXEC command.