■Cisco3750のSSHサーバを有効にしてみる。 スイッチベースの認証の設定 http://www.cisco.com/cisco/web/support/JP/docs/SW/LANSWT-Access/CAT3750SWT/CG/001/09_swauthen.html?bid=0900e4b18252964a#15494 ■K9が無いモデル[C3750-IPSERVICES-M]では、 Cryptoコマンドが無いので設定出来ないらしい。 Switch>show version | include IOS Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2) ■debianのSSHサーバでもサーバ鍵のbit数は1024で、 SSH Version 2のみ使用可能。 $ lsb_release -d Description: Debian GNU/Linux 8.3 (jessie) $ awk '/ServerKeyBits|Protocol/' /etc/ssh/sshd_config Protocol 2 ServerKeyBits 1024 ■CiscoでもRSAの1024以上が推奨とのこと。 また、SSHv2を指定する。 ※デフォルトの鍵長は512bit enable configure terminal hostname c3750 ip domain-name localdomain crypto key generate rsa ip ssh version 2 end ■RSAの鍵生成時のメッセージ c3750(config)#crypto key generate rsa The name for the keys will be: c3750.localdomain Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] c3750#show ssh %No SSHv1 server connections running. %No SSHv2 server connections running. ■SSHのバージョンが2.0であること。 c3750#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 c3750#show ssh %No SSHv1 server connections running. %No SSHv2 server connections running. ■IP、ルーティングを設定 enable configure terminal interface vlan 1 ip address 10.26.7.3 255.255.255.0 no shutdown ip routing ip route 0.0.0.0 0.0.0.0 10.26.7.2 end ■VLAN設定の確認。Fa1/0/3にLANケーブルを接続。 c3750#show running-config interface vlan 1 Building configuration... Current configuration : 59 bytes ! interface Vlan1 ip address 10.26.7.3 255.255.255.0 end c3750#show interfaces summary | include \* *: interface is up * Vlan1 0 0 0 0 0 0 0 0 0 * FastEthernet1/0/3 0 0 0 0 0 0 0 0 0 * Loopback0 0 0 0 0 0 0 0 0 0 c3750#show vlan brief | exclude unsup VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0/3, Fa1/0/4, Fa1/0/5 Fa1/0/6, Fa1/0/7, Fa1/0/8 Fa1/0/9, Fa1/0/10, Fa1/0/11 Fa1/0/12, Fa1/0/13, Fa1/0/14 Fa1/0/15, Fa1/0/16, Fa1/0/17 Fa1/0/18, Fa1/0/19, Fa1/0/20 Fa1/0/21, Fa1/0/22, Fa1/0/23 Fa1/0/24, Gi1/0/1, Gi1/0/2 100 VLAN0100 active Fa1/0/1 ■上記で接続までは出来る。 ※IX2015のNAT設定、SRX100Hを置き換えたので、アクセス先のIPは上記と異なる。 IX2015の先にあるSRX100HをNATで管理PCに公開してみる。 http://labunix.hateblo.jp/entry/20160313/1457813843 $ ssh -v 172.16.16.253 2>&1 | tee test.log $ awk '/remote|kex:|SSH2/' test.log debug1: Remote protocol version 2.0, remote software version Cisco-1.25 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-sha1 none debug1: kex: client->server aes128-cbc hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received ■ローカル認証と紐付ける。 例えばjoeパスワードを設定 enable configure terminal username admin password 0 admin service password-encryption line vty 0 4 transport input ssh login local end ■ログインチェック $ ssh -v admin@172.16.16.253 2>&1 | tee test.log $ tail -n 17 test.log debug1: Authentications that can continue: keyboard-interactive,password debug1: Next authentication method: keyboard-interactive debug1: Authentication succeeded (keyboard-interactive). Authenticated to 172.16.16.253 ([172.16.16.253]:22). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = ja_JP.UTF-8 c3750>exit debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 1 clearing O_NONBLOCK Connection to 172.16.16.253 closed. Transferred: sent 3024, received 1224 bytes, in 9.4 seconds Bytes per second: sent 321.9, received 130.3 debug1: Exit status 0 ■ログインに成功すると、ログイン中のセッションが確認出来る。 c3750>show ssh %No SSHv1 server connections running. Connection Version Mode Encryption Hmac State Username 0 2.0 IN aes128-cbc hmac-sha1 Session started admin 0 2.0 OUT aes128-cbc hmac-sha1 Session started admin ■SSHの鍵はクライアントのデバッグモードで確認したものと同じもの。 $ awk '/kex:/' test.log debug1: kex: server->client aes128-cbc hmac-sha1 none debug1: kex: client->server aes128-cbc hmac-sha1 none ■最後はコンフィグの保存。 いつもはwrite memoryだけど、Ciscoの手順通りに。 c3750#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] 0 bytes copied in 1.300 secs (0 bytes/sec)