labunix's blog

labunixのラボUnix

Cisco3750のSSHサーバを有効にしてみる。

■Cisco3750のSSHサーバを有効にしてみる。

 スイッチベースの認証の設定
 http://www.cisco.com/cisco/web/support/JP/docs/SW/LANSWT-Access/CAT3750SWT/CG/001/09_swauthen.html?bid=0900e4b18252964a#15494

■K9が無いモデル[C3750-IPSERVICES-M]では、
 Cryptoコマンドが無いので設定出来ないらしい。

Switch>show version | include IOS
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)

■debianのSSHサーバでもサーバ鍵のbit数は1024で、
 SSH Version 2のみ使用可能。

$ lsb_release -d
Description:	Debian GNU/Linux 8.3 (jessie)

$ awk '/ServerKeyBits|Protocol/' /etc/ssh/sshd_config 
Protocol 2
ServerKeyBits 1024

■CiscoでもRSAの1024以上が推奨とのこと。
 また、SSHv2を指定する。
 ※デフォルトの鍵長は512bit

enable
configure terminal
hostname c3750
ip domain-name localdomain
crypto key generate rsa
ip ssh version 2
end

■RSAの鍵生成時のメッセージ

c3750(config)#crypto key generate rsa 
The name for the keys will be: c3750.localdomain
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

c3750#show ssh 
%No SSHv1 server connections running.
%No SSHv2 server connections running.

■SSHのバージョンが2.0であること。

c3750#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

c3750#show ssh   
%No SSHv1 server connections running.
%No SSHv2 server connections running.

■IP、ルーティングを設定

enable
configure terminal
interface vlan 1
  ip address 10.26.7.3 255.255.255.0
  no shutdown 
ip routing
ip route 0.0.0.0 0.0.0.0 10.26.7.2
end

■VLAN設定の確認。Fa1/0/3にLANケーブルを接続。

c3750#show running-config interface vlan 1
Building configuration...

Current configuration : 59 bytes
!
interface Vlan1
 ip address 10.26.7.3 255.255.255.0
end

c3750#show interfaces summary | include \*  
 *: interface is up
* Vlan1                    0     0    0     0     0    0     0    0    0
* FastEthernet1/0/3        0     0    0     0     0    0     0    0    0
* Loopback0                0     0    0     0     0    0     0    0    0

c3750#show vlan brief | exclude unsup

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0/3, Fa1/0/4, Fa1/0/5
                                                Fa1/0/6, Fa1/0/7, Fa1/0/8
                                                Fa1/0/9, Fa1/0/10, Fa1/0/11
                                                Fa1/0/12, Fa1/0/13, Fa1/0/14
                                                Fa1/0/15, Fa1/0/16, Fa1/0/17
                                                Fa1/0/18, Fa1/0/19, Fa1/0/20
                                                Fa1/0/21, Fa1/0/22, Fa1/0/23
                                                Fa1/0/24, Gi1/0/1, Gi1/0/2
100  VLAN0100                         active    Fa1/0/1

■上記で接続までは出来る。
 ※IX2015のNAT設定、SRX100Hを置き換えたので、アクセス先のIPは上記と異なる。

 IX2015の先にあるSRX100HをNATで管理PCに公開してみる。
 http://labunix.hateblo.jp/entry/20160313/1457813843

$ ssh -v 172.16.16.253 2>&1 | tee test.log

$ awk '/remote|kex:|SSH2/' test.log 
debug1: Remote protocol version 2.0, remote software version Cisco-1.25
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

■ローカル認証と紐付ける。
 例えばjoeパスワードを設定

enable
configure terminal
username admin password 0 admin
service password-encryption
line vty 0 4
  transport input ssh
  login local
end

■ログインチェック

$ ssh -v admin@172.16.16.253 2>&1 | tee test.log

$ tail -n 17 test.log 
debug1: Authentications that can continue: keyboard-interactive,password
debug1: Next authentication method: keyboard-interactive
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 172.16.16.253 ([172.16.16.253]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = ja_JP.UTF-8

c3750>exit
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 1 clearing O_NONBLOCK
Connection to 172.16.16.253 closed.
Transferred: sent 3024, received 1224 bytes, in 9.4 seconds
Bytes per second: sent 321.9, received 130.3
debug1: Exit status 0

■ログインに成功すると、ログイン中のセッションが確認出来る。

c3750>show ssh 
%No SSHv1 server connections running.
Connection Version Mode Encryption  Hmac	 State	               Username
0          2.0     IN   aes128-cbc  hmac-sha1    Session started       admin
0          2.0     OUT  aes128-cbc  hmac-sha1    Session started       admin

■SSHの鍵はクライアントのデバッグモードで確認したものと同じもの。

$ awk '/kex:/' test.log
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none

■最後はコンフィグの保存。
 いつもはwrite memoryだけど、Ciscoの手順通りに。

c3750#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]
0 bytes copied in 1.300 secs (0 bytes/sec)