WeOSSecure Shell (SSH)
Introduction
Secure Shell (SSH) is a widely used protocol for establishing a secure channel over a public network. An SSH service is enabled by default in all products to allow safe remote login and access to the command line interface. The service defaults to listening on Internet port 22 for incoming connections, on all interfaces.
All products also come with an SSH client, which can be used to log in to other devices. Useful when debugging remote systems which do not have routing set up or cannot be connected to otherwise. This is sometimes referred to as using a device as a “hop server”.
Connecting to a Device
To connect to the SSH service you need an SSH client. There are many options available, one of the most useful is the freely available PuTTY client on Windows, which also supports serial console connection. But like Linux and other UNIX systems, Windows 10 today ships with the OpenSSH client ssh, which is a command line program. In the examples below a Linux host with the ssh client is used.
Connecting can be done to the assigned DNS name, the advertised mDNS name, or using the IP address of the remote device:
operator@example:~$ ssh admin@weos.local
admin@weos.local's password: *******
Enter the password associated with the admin account and the next text
displayed is the remote system’s message of the day (MOTD) and the CLI
prompt. Use logout, exit, or Ctrl-D to log out and disconnect.
Note: The first time connecting to a device from a specific host, the SSH client will respond with a warning (similar to):
The authenticity of host 'weos.local (192.168.122.89)' can't be established.
ECDSA key fingerprint is SHA256:lhQjYbBcWVZY2Zqmm1HizFx0M2opgTsBFNXmja161KE.
Are you sure you want to continue connecting (yes/no)?
Answering yes saves the public key of the remote device into a local database (known_hosts) and associates it with the IP address and port (TCP port 22 unless otherwise specified) used to connect. This key is verified every time you connect to the same address and port.
The warning text above comes from OpenSSH. Other SSH implementations may have differently worded warning messages. You may also receive a warning about a possible “man-in-the-middle” attack, which usually occurs when the same address is being used with another device. See the Troubleshooting section for more details.
Connect from a Device
The built-in SSH client can be used to connect to other devices in a network. A typical use case is to access devices in a private network where only a gateway device is publicly accessible. An operator can SSH into the gateway device and from there initiate another SSH connection to the private part of the topology.
To initiate an SSH connection from the CLI, use the ssh command from
the top-level admin-exec context:
admin@example:/#> ssh admin@192.168.122.1:222
The admin@ part can be changed to a different login name or left out
completely if the username on the target device is the same as then one logged
in on the originating device. The :222 part designates the port number, can
also be separated by a space, e.g. admin@192.168.122.1 222. It can be left
out if the standard port (22) is used, this depends on the configuration of the
SSH service of the target device. The IP address can also be replaced with a
domain name.
The warning messages regarding an new untrusted host is similar to that displayed by OpenSSH:
Host '192.168.122.1' is not in the trusted hosts file.
(ecdsa-sha2-nistp256 fingerprint md5 d7:17:86:c7:69:fc:dd:16:f4:4a:62:55:eb:47:6f:43)
Do you want to continue connecting? (y/n)
The warning message for a changed host key (possible eavesdropping) is also similar to that displayed by OpenSSH:
WARNING: Host key mismatch for 192.168.122.1!
Fingerprint is md5 d7:17:86:c7:69:fc:dd:16:f4:4a:62:55:eb:47:6f:43
Expected md5 bd:3d:e5:f3:49:24:98:14:22:28:9d:92:0a:12:48:3d
Continue anyway (y/N)?
Typing y here allows the connection to proceed.
Syntax
As mentioned above, the ssh command is used directly in the top-level
admin-exec context.
admin@example:/#>
Two main formats are supported for the command, where they essentially just differ in how the user is specified.
ssh [user USER] [force ipv4|ipv6] HOST[:PORT| PORT]-
Secure shell login to another host.
This command can be used to log in to another host using the SSH protocol.
As mentioned, the only difference in this format is that the user is provided using the
useroption, which is a separate option instead of being part of the host specification using theUSER@HOSTformat.Only one user specification
A user cannot be specified both by the
useroption and by using theUSER@syntax. This will result in an error.Example Connecting to a device as user
admin:admin@example:/#> ssh user admin 192.168.1.1
admin@example:/#> ssh user admin 2001:db8::1
admin@example:/#> ssh user admin myhost
Special case when you want to connect to a device on an IPv6 link-local address, you need to specify the interface as well, e.g.
vlan1:admin@example:/#> ssh user admin fe80::1%vlan1
Connecting to a device as user
adminon a specific port, e.g. port 2222:admin@example:/#> ssh user admin 192.168.1.1:2222
admin@example:/#> ssh user admin [2001:db8::1]:2222
admin@example:/#> ssh user admin myhost:2222
Using the
forceoption to force the use of either IPv4 or IPv6 addresses only:admin@example:/#> ssh force ipv4 user admin myhost
admin@example:/#> ssh force ipv6 user admin myhost
User specification
Again, all of these example commands can also be executed using the
USER@HOSTformat, while omitting theuseroption.- user
- The user to log in as. If not specified, the current user is used,
e.g. if the user is
adminon the device, then the useradminis used to log in to the remote host. - force ipv4|ipv6
- Force the use of either IPv4 or IPv6 addresses only. This is useful when the host has both IPv4 and IPv6 addresses, but you want to connect using only one of them.
- HOST
- Should be a valid IPv4 or IPv6 address, or a valid FQDN (Fully Qualified Domain Name).
- PORT
- Optional port number, defaults to 22 if not specified. If a port
is specified, it can be separated by a colon
:or a space.
ssh [force ipv4|ipv6] [USER@]HOST[:PORT| PORT]-
As mentioned, the only difference when using this format, i.e. using the
user@hostformat, is how the user is specified. Other than that, the command behaves the same as the previous format.Therefore, see the previous section for more details on how to use the command.
Example Connecting to a device as user
admin:admin@example:/#> ssh admin@192.168.1.1
admin@example:/#> ssh admin@2001:db8::1
admin@example:/#> ssh admin@myhost
Managing SSH host keys
Two types of SSH host keys are generated the first time a system starts. One or more of these keys can persistently be re-generated or exchanged using import.
Supported key types:
- rsa
- ecdsa
Example of how to generate a new 4096-bit RSA ssh key.
example:/#> ssh-host-key generate rsa size 4096
Example of how to export the existing ECDSA ssh key as base64 encoded text.
example:/#> ssh-host-key export ecdsa
Example of how to import a base64 encoded ECDSA ssh key.
example:/#> ssh-host-key import ecdsa
Generate a SSH host keys on a Linux PC
The underlying SSH host key is in Dropbear format. This means a new key must be generated using the dropbearkey program. The result of this is a binary key which needs to be base64 encoded prior to import.
Example of how to do this from a PC running Ubuntu Linux.
ubuntu:/#> dropbearkey -t rsa -s 4096 -f new_key ubuntu:/#> base64 new_key
The printed key can then be copy-paste imported using.
example:/#> ssh-host-key import rsa
Configuration
The SSH service can be configured in several ways:
- It can be deactivated
- It can be restricted to a subset of available interfaces
- The port number can be changed
- Keepalive can be tuned or disabled
- Idle timeout can be configured or disabled
- Fail delay can be changed.
- An optional pre-login banner can be configured.
Warning
Changing the SSH configuration while connected to the device via SSH is risky. If possible, use an alternative management front-end, e.g. the WebUI.
The SSH service is available from the management configuration context in the CLI:
example:/#> configure example:/config/#> management example:/config/management/#> ssh example:/config/management/ssh/#>
[no] enable-
Enable/disable the SSH server. The rest of the configuration is however, saved for when you re-enable the service again.
The ssh service configuration can be completely reset from the parent
managementconfiguration context usingno ssh.Warning
Secure copy (SCP) relies on the SSH service. If SSH is deactivated, it will not be possible for a remote host or device to use scp to copy files to or from this device.
- no
- Disable SSH service completely
[no] listen IFNAME[,IFNAME]-
Interfaces on which to allow SSH connections.
To restrict SSH to only listen on interfaces vlan1 and vlan2:
listen vlan1 vlan2
To listen on all interfaces again (default):
no listen
[no] port PORT-
By default, SSH listens on TCP port 22. SSH clients connect to this port unless another port is specified.
Note
To connect to an SSH server listening to a non-standard port, the port has to be specified when connecting. For example:
foo@localhost$ ssh admin@192.168.122.89 -p 222
[no] keepalive SEC-
By default, a 60 second keepalive is enabled for SSH connections. Meaning, the server and client exchange control messages every 60 seconds, which has two purposes:
- Prevent firewalls and routers from closing the connection if there is no data sent over it for a long time
- Detect a loss of connection
- no
- Disable keepalive messages
- SEC
- Interval in seconds between keepalive probes, default: 60 sec
[no] idle-timeout SEC-
This setting is used to automatically disconnect an SSH connection when the connecting user has not been active for a while.
Keepalive probes should not be counted as user activity, however this is a non-standardized area, subject to implementation differences in both the SSH server and client. It is possible the two mechanisms (keepalive and idle timeout) will interfere with each other if both are enabled.
- no
- Disable idle-timeout completely
- SEC
- Number of seconds (of idle activity) until connection times out
[no] fail-delay SEC-
Set a delay to SEC seconds occurring after a failed login attempt.
The effective delay is not constant but each time randomly generated from a pseudo Gaussian distribution with mean = SEC + 300ms and standard deviation = SEC/6. The effective delay does not exceed +-50% of SEC around the mean. Example: When selected delay SEC = 3s then mean = 3.3s, std. deviation = 0.5s, min = 1.8s, max = 4.8s.
- no
- Set default value.
- SEC
- Fail delay in seconds
[no] external-access-
Configure access to secure shell copy (scp) to the device initiated from a remote host.
If enabled, it is possible to transfer file(s) between a remote host and WeOS device, when the transfer is initiated from the remote host.
It is always possible to transfer files when the transfer initiated from WeOS device.
Default: Disabled
- no
- Disable external access.
Warning
It is highly discouraged to have this setting persistently enabled. This function allows very permissive file access to the device remotely.
[no] login-banner [MESSAGE]-
Configure a banner to be displayed on the ssh console login.
This is a banner that will be displayed on the ssh console login, before the user has logged in to the device.
Tip
For additional general information regarding pre-login banner, refer to the section on Pre-Login Banner on the Management Web configuration page.
Default:
no login-banner(Disabled)Configuration Example A pre-login banner message can be configured in the following manner:
example:/config/management/ssh/#> login-banner “This is a message.\n\nThis is displayed on a new line.”
The overview
showcommand will try and display the message as it would be when considering the escape characters:example:/config/management/ssh/#> show […]
Login Banner ▏This is a message. ▕ ▏ ▕ ▏This is displayed on a new line. ▕ ▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔To see how the raw message that was configured the specific
show login-bannercommand can be used:example:/config/management/ssh/#> show login-banner “This is a message.\n\nThis is displayed on a new line.”
Login Example This is how the message would be displayed when trying to access the device over a SSH connection:
operator@example:~$ ssh admin@192.168.1.1 This is a message.
This is displayed on a new line. admin@192.168.1.1’s password:- no
- Remove any configured login-banner and disable it.
- MESSAGE
-
Free-form message, remember to enclose the message like this
"MESSAGE"or'MESSAGE'.When writing the message certain escape characters can also be included:
\a=> BELL\b=> Backspace\t=> Horizontal TAB\n=> New line\v=> Vertical TAB\f=> Form Feed\r=> Carriage Return\\=> \
Note
The following options can only be configured via a Console session. It is highly discouraged to have this setting persistently enabled. This function should only be used when specific troubleshooting is needed.
[no] shell-access-
Manage remote shell access configuration.
This command will open a sub-context where the remote shell access configuration is managed.
- no
- Disable remote shell access
example:/#> configure example:/config/#> management example:/config/management/#> ssh example:/config/management/ssh/#> shell-access example:/config/management/ssh/shell-access#>
[no] enable-
Enable or disable ‘shell’ access from remote SSH connections
- no
- disable ‘shell’ access from remote SSH connections (default)
[no] audit-log [interval [VALUE] [seconds|minutes|hours|days]]-
Enable or disable continuous audit log event when remote shell access is enabled. The continuous audit log event will log a message to the audit log every set interval.
Default: Enabled with 30 minutes interval.
- interval [VALUE] seconds|minutes|hours|days
-
Configure the time interval for logging audit-log messages.
- no
- disable continuous audit log
[no] warning-
Enable or disable the persistent warning when remote shell access is enabled.
- no
- disable persistent warning
Troubleshooting
Occasionally when initiating an SSH connection, you may get a warning like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:lhQjYbBcWVZY2Zqmm1HizFx0M2opgTsBFNXmja161KE.
Please contact your system administrator.
Add correct host key in /home/foo/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/foo/.ssh/known_hosts:58
remove with:
ssh-keygen -f "/home/foo/.ssh/known_hosts" -R 192.168.122.89
ECDSA host key for 192.168.122.89 has changed and you have requested strict checking.
Host key verification failed.
The warning is displayed when the local SSH client tries to look up the SSH server’s public key in the known_hosts database and finds a different key associated with the same IP address + port combination.
This happens for example when:
- The device running WeOS is replaced with another device while the same IP address is retained.
- The IP address is changed to one which was previously associated with a different physical device.
- A factory reset is performed on the WeOS device. This will cause a new key to be generated when the device is restarted.
In any of these valid cases, the solution is to remove the invalid database entry casusing the warning. The command to run was printed as part of the the warning message:
operator@example:~$ ssh-keygen -f "/home/foo/.ssh/known_hosts" -R 192.168.122.89
If none of the above valid reasons for a mismatch in the “IP address to host key” relation applies, it is possible you are the target of a man-in-the-middle attack where someone is trying to intercept the communication with the WeOS device.
If so, do not invalidate the database entry as explained above. Instead take appropriate action to report the incident and secure communication.