SSH management interface

Edit online

The appliance offers an SSH management interface that provides remote access to the command line (CLI) management interface by using an SSH session.

The SSH management interface provides access to the Command-line interface (CLI).

All administrative users with access to the local management interface can also access the SSH management interface.

In addition to the in-built admin user, this access includes all administrative users in:
  1. The local management interface user registry.

    See Managing users and groups.

  2. A configured remote LDAP user registry.

    See Configuring management authentication.

A customizable access banner can be presented on the local management interface login page. Use the Login Screen Header and Login Screen Message properties on the Administrator Settings page to set the access banner content.

Tuning the Verify Identity Access SSH Server

Administrators can configure the SSH Server process from the administrator settings page, and the advanced tuning parameters table. The following table defines the list of supported advanced tuning parameters for the SSH server.
Table 1. Supported SSH Server Advanced Tuning Parameters:
sshd.enabled Enable or disable the SSH Server process on a Verify Identity Access deployment. true, false
sshd.disable.admin Disable SSH access for the built-in admin user. true, false
sshd.ciphers A comma-separated list of SSL ciphers that are permitted for TLS end-to-end encryption. aes128-ctr,aes192-ctr,aes256-ctr
sys.sshd.bind_to_all_interfaces Allow the SSH Server process to bind to all configured interfaces. By default, only management interfaces listen for SSH connections. true, false
sshd.KexAlgorithms A comma-separated list of algorithms that are permitted for Key Exchange. curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
sshd.PasswordAuthentication Disable password authentication to Verify Identity Access. Administrators are able to configure certificate-based authentication to still permit access to the SSH CLI when password-based authentication is disabled. yes, no
sshd.ClientAliveInterval The interval (in seconds) that connections to the SSH server are permitted to remain idle before they are closed. 1 - 86400
sshd.HostKeyAlgorithms A comma-separated list of algorithms that are permitted for TLS key exchange. ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
sshd.macs A comma-separated list of message authentication codes that are permitted by the SSH server. hmac-sha1

Password-based authentication

Password-based authentication is enabled by default and can be disabled by setting SSH Password Authentication to false in the Administrator Settings, see Configuring administrator settings.

SSH key authentication

Administrative users can also authenticate to the SSH management interface with SSH keys rather than passwords.

The process for managing SSH keys differs depending on the type of user.
Managing SSH keys for local management interface users
  1. While authenticated to the local management interface, click the User button in the page header.
    Draft comment: KEIRAN ROBINSON
    The User button is just an icon, not a text link/text button. For that reason I have explicitly referred to it as a button here.
  2. Select Manage SSH Keys.
    The Manage SSH Keys dialog is displayed. This dialog can be used to add or remove SSH keys.
    To add an SSH Key
    1. On the Manage SSH Keys dialog, click Add. The Add SSH Key dialog is displayed.
    2. Enter a name for identifying the SSH Key in the Name field, and enter the SSH public key content into the SSH Key field.
    3. Click Add to add the key.
    4. Deploy the pending changes.
    The SSH Key can now be used to authenticate to the SSH management interface.
    To remove an SSH key
    1. On the Manage SSH Keys dialog, select the SSH Key to remove.
    2. Click Delete. A confirmation dialog is displayed confirming the name of the SSH Key to be deleted.
    3. Click OK.
    4. Deploy the pending changes.
Managing SSH keys for the in-built admin user
SSH Keys for the in-built admin user can be managed by using the same process as other local management interface users.
In addition, The Administrator SSH Keys parameter on the Administrator Settings page can be used to display the Manage SSH Keys dialog for the in-built admin user.
  1. Go to the Administrator Settings page.
  2. Locate and select the Administrator SSH Keys parameter.
  3. Click Edit, the Manage SSH Keys dialog is displayed. Refer to the procedures To add an SSH key and To remove an SSH key for usage of the Manage SSH Keys dialog.
Managing SSH Keys for external LDAP user registry users
For administrative users that are stored on an external LDAP user registry, the keys cannot be managed from the local management interface. SSH Key data is stored and managed manually on the user registry.

The Management Authentication page provides a field that can be used to specify the name of an attribute that contains SSH Keys. See Configuring management authentication.