Applies To:
Show VersionsBIG-IP AFM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
SSH Proxy Security
Securing SSH traffic with the SSH Proxy
Why use SSH proxy?
Network attacks are increasingly less visible, cloaked in SSL and SSH channels. The SSH Proxy feature provides a means to combat attacks in the SSH channel by providing visibility into SSH traffic and control over the commands that the users are executing in SSH channel. Administrators can control access on a per-user basis to SSH and the commands that a user can use in SSH.
Challenges and problems that SSH proxy addresses
- Gives administrators visibility into user command activity in the SSH channel.
- Provides fine-grained control of SSH access commands on a per-user basis.
- Allows segmentation of access control for different users, allowing, for example, one user to download (but not upload) with SCP, while another user can upload and download with SCP. allowing SHELL access only to an administrator, and other examples.
- Control over SSH keep-alives that keep a session open indefinitely.
Features of SSH Proxy
- Policy based SSH control capability
- Fine-grained control of SSH access on a per-user basis
- Visibility and control of SSH connection
- By controlling the SSH commands and session, datacenter admin can prevent advanced attacks from entering the datacenter.
Current limits of SSH Proxy
- Supports SSH version 2.0 or above only
- SSH proxy is supported on a virtual server, not on a route domain or global context.
- SSH proxy auth key size is currently limited to 2K in this version.
- In this version, log profile configuration of SSH parameters is available only via tmsh.
- Elliptical Curve cypher (ECDHE) SSH keys are not supported for authentication in this version.
Using SSH Proxy
- An SSH proxy profile that defines actions for SSH channel commands
- A virtual server for the SSH server, configured for SSH traffic, and including the SSH proxy profile
- Authentication information for the SSH proxy
Task summary
Proxying SSH traffic with an SSH Proxy profile
SSH channel actions
In an SSH proxy profile, you can configure whether to allow, disallow, or terminate SSH channel actions.
Channel action | Description |
---|---|
Shell | Defines use of the shell command to open an SSH shell channel type. |
Sub System | Defines the use of the subsystem command, to invoke remote commands that are defined on the server over the SSH tunnel. |
SFTP Up | Defines the use of Secure File Transfer Protocol (sftp) to upload (put) files over the SSH tunnel. |
SFTP Down | Defines the use of Secure File Transfer Protocol (sftp) to download (get) files over the SSH tunnel. |
SCP Up | Defines the use of Secure Copy (scp) to copy files from a local directory to a remote directory over the SSH tunnel. |
SCP Down | Defines the use of Secure Copy (scp) to copy files from a remote directory to a local directory over the SSH tunnel. |
Rexec | Defines the use of rexec remote execution commands over the SSH tunnel. |
Forward Local | Defines the use of the -L to do local port forwarding over the SSH tunnel. |
Forward Remote | Defines the use of the -R to do remote port forwarding over the SSH tunnel. |
Forward X11 | Defines the use of X11 forwarding over the SSH tunnel. |
Agent | Defines the use of ssh-agent over the SSH tunnel. Agent forwarding specifies that the chain of SSH connections forwards key challenges back to the original agent, removing the need for passwords or private keys on intermediate machines. |
Creating an SSH virtual server with SSH proxy security
Attaching an SSH proxy security profile to an existing virtual server
You can add SSH proxy security to your SSH virtual server with SSH proxy profile.
Authenticating SSH proxy traffic
What SSH authentication methods are supported?
SSH security supports public key authentication, password authentication, and keyboard-interactive authentication.Public key authentication
Public key authentication requires that both the SSH client and the SSH server must implement the security keys. With this method, each client must have a key pair generated using a supported encryption algorithm. When authentication occurs, the client sends a public key to the server. If the server finds the key in the list of allowed keys, the client encrypts data using the private key and sends the packet to the server with the public key.
Password authentication
Password authentication is the simplest authentication method. The user specifies a username and password. This authentication method requires only one set of credentials for the user.
Keyboard-interactive authentication
Keyboard-interactive authentication is a more complex form of password authentication, aimed specifically at the human operator as a client. During keyboard authentication prompts or questions are presented to the user. The user answers each prompt or question. The number and contents of the questions are virtually unlimited, so certain types of automated logins are also possible.
SSH client components support keyboard authentication via the OnAuthenticationKeyboard event. The client application should fill in the Responses parameter of the mentioned event with replies to questions contained in the Prompts parameter. Use echo parameter to specify whether the response is displayed on the screen, or masked. The number of responses must match the number of prompts or questions.
Defining SSH proxy public key authentication
Defining SSH proxy password or keyboard interactive authentication
Authenticating SSH Proxy with the server private key
Creating a log publisher for SSH proxy events
Create and associate a logging profile for SSH proxy events
Associating a logging profile with a virtual server
Information related to traffic controlled by the security policy is logged using the logging profile or profiles specified in the virtual server.
Example: Securing SSH traffic with the SSH Proxy
In this example, you create an SSH proxy configuration, create a virtual server for SSH traffic, and apply the SSH proxy to the virtual server. This example contains IP addresses and public and private keys that do not apply to your configuration, but are included for example purposes only.
In this configuration, password or keyboard interactive authentication is used, and the SSH proxy policy disallows SCP downloads and uploads, and terminates the tunnel connection on a REXEC command.