Remote access

This chapter describes how to configure remote access using Telnet and SSH.

Turbo Router can be remotely configured as it implements both Telnet and SSH servers. It also implements Telnet and SSH clients.

Remote access context

Remote access parameters can be configured in the gen context.

router{conf:myconfig}gen
router{conf:myconfig-gen}

Displaying Telnet and SSH configuration

To display the current configuration of Telnet and SSH services, use the command below:

router{conf:myconfig}display gen

Showing Telnet and SSH status

show commands display information about the current status of Turbo Router software. The displayed information is retrieved from the system, unlike display commands that display only configuration information.

The show service command displays the current status of the services currently running on Turbo Router, including Telnet and SSH.

Example

router{}show service
Service  SSH             is active
Service  TELNET          is active
Service  HTTP            is inactive
Service  IP Forwarding   is active
Service  IPv6 Forwarding is active
Service  NAT             is inactive
Service  DNS-PROXY       is inactive
Service  FILTER          is inactive
Service  RIP             is inactive
Service  RIPng           is inactive
Service  OSPFv2          is inactive
Service  OSPFv3          is inactive
Service  BGP             is inactive
Service  ISIS            is inactive
Service  DHCPSERVER      is active
Service  DHCP            is inactive
Service  DHCP RELAY      is inactive
Service  NTP             is active
Service  CRON            is inactive

Telnet support

Telnet server

Turbo Router implements a Telnet server. This service allows IPv4 and IPv6 hosts to connect to Turbo Router with a standard Telnet application.

To enable or disable the Telnet service, use the following command in the gen context:

router{conf:myconfig-gen}telnet enable|disable

For security reasons, the Telnet service is disabled by default.

Using Telnet client

Turbo Router implements a Telnet client. To log into an IPv4 or an IPv6 host respectively, use the telnet and telnet6 commands from the root context of the CLI.

router{}telnet HOSTNAME|A.B.C.D
router{}telnet6 HOSTNAME|X:X::X:X

SSH support

Overview

Secure Shell (SSH) is a protocol that provides a secure connection to a remote host.

The SSH server running on a Turbo Router enables an SSH client to make a secure encrypted connection to the equipement. This connection is similar to an inbound Telnet connection. The SSH server in Turbo Router will work with standard free or commercial SSH clients. The SSH server supports the SSH-2 protocol.

Additionally, Turbo Router features an SSH client that enables to communicate with a remote SSH server to import or export files, or to log in to a remote SSH server. The SSH client supports both SSH-1 and SSH-2 protocols.

Supported applications

Remote shell: ssh login (SSH login client application).

Secure file transfer: using import and export commands via the SCP protocol.

Supported authentication methods

Two authentication methods are supported by 6WIND implementation:

  • public key authentication with key pairs,
  • password authentication.

Note

If the first authentication method fails, the user is prompted for a password. Since all communications are encrypted, the password cannot be read by someone sniffing the network.

SSH connection establishment – overview

The SSH protocol uses public key authentication on the SSH server and client.

  • The SSH server:
    • is configured with an SSH host key pair, which authenticates the equipment,
    • maintains a database of client public keys (a.k.a. authorized keys) and passwords, used to authenticate remote clients connecting to local accounts.
  • The SSH client:
    • is configured with an SSH user key pair, which authenticates the user when it connects to remote accounts,
    • maintains a database of known hosts, that is to say a database associating SSH server addresses (or DNS names) to their public keys.
../../../_images/ssh-overview.svg

SSH connection establishment

An SSH connection establishment takes place as follows:

  1. Connection Request: the SSH client sends a connection request to the remote SSH server.

  2. Server authentication: the SSH server replies and authenticates itself with its SSH host key pair.

    The SSH client consults the local database of known hosts.

    If the server identity (IP address or DNS name) is found, and the associated public key is the same as the one sent by the server, the server is considered authentic and the authentication can continue.

    If the server identity (IP address or DNS name) is found but the associated public key differs from the one sent by the server, either the server key pair has changed or the responding equipment is trying to spoof the SSH server identity. Hence the user gets a warning message and the connection fails.

    If the server identity (IP address or DNS name) is not found in the database, the client application asks the user if he accepts the public key sent by the responding equipement as a proof of the SSH server’s identity. If the user accepts, the known hosts database is updated with this key, and the authentication can continue.

    The SSH client verifies the server’s signature. If it is valid, the connection continues.

  3. Client authentication: the SSH client requests a connection to a remote account on the SSH server. It authenticates itself to the SSH server, with its client key pair.

    The SSH server consults the database of public keys that are granted access to this account (authorized keys).

    • If the public key is found, the public key authentication can continue: the SSH server verifies the client signature. If it is valid, the SSH connection is established.
    • If the public key is not found or the authentication fails, the SSH client then tries login/password authentication. The client application prompts the user for a password. If the SSH server accepts password authentication and if the password provided by the user is the right one, the SSH connection is established. Else the SSH connection fails.

SSH server

The SSH service is controled in configurations. The SSH server is started or stopped when applying a configuration.

However private and public keys are managed at the CLI root level.

Enabling or disabling the SSH server

To enable or disable the SSH server, use the following command in the gen context of a configuration:

router{conf:myconfig-gen}ssh enable|disable

Managing SSH server host key pairs

To generate the SSH server host key pairs for all supported cryptographic algorithms:

router{}ssh host-key all

It is also possible to generate the SSH server host key pairs for a specific cryptographic algorithm:

router{}ssh host-key (dsa|ecdsa|ed25519|rsa|all)

Examples

Generate an RSA host key pair:

router{}ssh host-key rsa
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
SHA256:uYQCg2/MwvG5fvjihbX6dykjfefL/xCXHd/DLi8PdUo root@router
The key's randomart image is:
+---[RSA 2048]----+
|                 |
| .               |
|..o            . |
|.+oo.  . .    . *|
|..=o... S    .E*=|
| o  +... .   .=.o|
|   o.o. . .  +.. |
|  .ooo = +.. .=  |
|  .+=oo = o+o.++ |
+----[SHA256]-----+

Generate host key pairs for all supported cryptographic algorithms:

router{}ssh host-key all
ssh-keygen: generating new host keys: DSA ECDSA ED25519

Note

When a new SSH host key pair is generated, SSH clients that formerly connected to Turbo Router will claim that the SSH server key has changed or that someone is trying to spoof its identity. The old SSH server public key should consequently be removed from their known hosts database.

To display all SSH host public keys:

router{}display ssh host-key all

One can choose which SSH host public keys to display and the format in which they must be displayed (openssh (default), RFC4716 and PKCS #8).

router{}display ssh host-key (dsa|ecdsa|ed25519|rsa|all) [openssh|rfc4716|pkcs8]

Note

ed25519 keys cannot be displayed in pkcs8 format.

Examples

Display host public keys for for all supported cryptographic algorithms in default (openssh) format:

router{}display ssh host-key all
# Host key: dsa
Fingerprint: SHA256:SqWXyhp7xlLpWSR4vmcQFEOe6NkWx967lfidn6kCHNE
Public-key:
ssh-dss AAAAB3NzaC1kc3MAAACBAKswz7NU/FLXbyLZgxYUwj4FUR2nbFhnF8iZff3Ya2f3UwNgW5McHw4/46yaGNrf5NLF1YFLYgEW7ez24xJ5kaiTJ7/3S6FaK9SLmtFVoONAjlCWGd5jLyFYRtTQ6GFB3JciVQAAAIBiqeLGPtaFix5wIJTcB8vymMA98TOtqjBVytFlb4H5MoaJ5fUAaJGOp+6apcFX3xNwSaJGsBeeW+YpdBAoj1z/ozFfsDgLVXPeF9+xUKLVITe9M4tN3YtTdmIFFHwGlI8G3UM9tAAAAIARblkBUHV0+Jz3EanfhBULiImZ6BjW6bbZfY2MmZuwINWy3Ack9OOrYxWq8Bp0SNoX463mql4ekUqlPa4DzChmnPi434RHovs4PA== root@router

# Host key: ecdsa
Fingerprint: SHA256:Y7J0Jg53Al5DrJ9ezHebwMegclorBq/0Ca9o+xBXYzM
Public-key:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN3DLSDGk1ssEclxrRdtzqTAltBqWoy8UzbCNZsxw2KePfC95iY= root@router

# Host key: ed25519
Fingerprint: SHA256:qB3oD4acs8FixXpdmBlE8di9x9Mz+w0ALSH4Q/OVek0
Public-key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIO5QQ451nKMqGywQAWATslniVrIBvEMtICcP56QQShl

# Host key: rsa
Fingerprint: SHA256:uYQCg2/MwvG5fvjihbX6dykjfefL/xCXHd/DLi8PdUo
Public-key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyMXHSBmI6mfdSf/ov95BT05Vw7oXwhFAYXnX7hV8fHH9ymLU+liDr8qyEkE+NNZHnhsM68VlQZKS10MRKS4RD4G7EyeG3y6UNQ8m/w4kvf2+pNla6p/8G1rfsXb2MpxLgNteOzgbVXwdcLUXgOQaVQkRwHyR72+zOqdMZ9d0SvU/GKqE89wYxOSqZdSSIaU5EDralRxwMl5A6/TH0Oa5AOKNc1/wC6j0smGVuqY3v root@router

Display the ECDSA host public key in RFC4716 format:

router{}display ssh host-key ecdsa rfc4716
# Host key: ecdsa
Fingerprint: SHA256:Y7J0Jg53Al5DrJ9ezHebwMegclorBq/0Ca9o+xBXYzM
Public-key:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ECDSA, converted by root@router from OpenSSH"
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN3DLSDGWYkrA09cPw
p/9r+e61fhklh+xw1Lpwhs2n6Gk1ssEclxrRdtzqTAltBqWoy8UzbCNZsxw2KePfC95iY=

---- END SSH2 PUBLIC KEY ----

Adding authorized client public keys

To enable remote clients to authenticate themselves by public key, their public keys must be stored on Turbo Router and authorized.

Adding an authorized client public key

To add an authorized client public key, use the following command:

router{}ssh authorized-key

Then paste the client public key, in one of the supported formats: openssh, RFC4716 or PKCS #8. Terminate editing by an empty line.

Examples

Add an authorized keys in openssh format:

router{}ssh authorized-key
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwUXnwfermmaov/Krqf7Bqvth7/Uyv/wUbr2UB+vlm85bHjVwltcg1ZdzRAkKYe2wQDg3gXqbBWFyeH7kIo4RZThyYfmXQQD4KjBDQyUCwl1UTJk12RKd1FZQvPopWxvcfK19d5BTrqsfx0RI1lVJ1IXxlhTegejsoK6ErSNCwq8wLMivt0kd3fWORGINdPE6XaU65BSG5IpE2xgoHk5FNkTaUj0N9Z9zxv19oqYgCirrPjLdpk1LgG3JvVou+RqpEtsvZEEQbRALxxkHiu57gERZR1eQvUcZ+jiB9PtbJhTTRXeqd5lQmn62AsZGhIGSRucXkS09zcqrvpNxBoxQcw== matt@bliss

/root/.ssh/authorized_keys append succeeded

Add an authorized keys in RFC4716 format:

router{}ssh authorized-key
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ECDSA, converted by matt@bliss from OpenSSH"
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEyW5/mzxBgG7RGYer
Q+QiwQdP0g1QyexfMD3B/zDTSDoafTkIatKCL0cHnybVoGqTCqKv07pbGoUbfOYQgdVgc=
---- END SSH2 PUBLIC KEY ----

/root/.ssh/authorized_keys append succeeded

To display the list of authorized client keys:

router{}display ssh authorized-key [openssh|rfc4716|pkcs8]

Examples

Display authorized keys in default (openssh) format:

router{}display ssh authorized-key
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwUXnwfermmaov/Krqf7Bqvth7/Uyv/wUbr2UB+vlm85bIo4RZThyYfmXQQD4KjBDQyUCwl1UTJk12RKd1FZQvPopWxvcfK19d5BTrqsfx0RI1lVJ1IXxlhTegejs5BSG5IpE2xgoHk5FNkTaUj0N9Z9zxv19oqYgCirrPjLdpk1LgG3JvVou+RqpEtsvZEEQbRALxxkHiu57AsZGhIGSRucXkS09zcqrvpNxBoxQcw== matt@bliss

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEyW5/mzoafTkIatKCL0cHnybVoGqTCqKv07pbGoUbfOYQgdVgc=

Display authorized keys in RFC4716 format:

router{}display ssh authorized-key rfc4716
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@router from OpenSSH"
AAAAB3NzaC1yc2EAAAABIwAAAQEAwUXnwfermmaov/Krqf7Bqvth7/Uyv/wUbr2UB+vlm8
5bHjVwltcg1ZdzRAkKYe2wQDg3gXqbBWFyeH7kIo4RZThyYfmXQQD4KjBDQyUCwl1UTJk1
2RKd1FZQvPopWxvcfK19d5BTrqsfx0RI1lVJ1IXxlhTegejsoK6ErSNCwq8wLMivt0kd3f
WORGINdPE6XaU65BSG5IpE2xgoHk5FNkTaUj0N9Z9zxv19oqYgCirrPjLdpk1LgG3JvVou
+RqpEtsvZEEQbRALxxkHiu57gERZR1eQvUcZ+jiB9PtbJhTTRXeqd5lQmn62AsZGhIGSRu
cXkS09zcqrvpNxBoxQcw==
---- END SSH2 PUBLIC KEY ----

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ECDSA, converted by root@router from OpenSSH"
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEyW5/mzxBgG7RGYer
Q+QiwQdP0g1QyexfMD3B/zDTSDoafTkIatKCL0cHnybVoGqTCqKv07pbGoUbfOYQgdVgc=

---- END SSH2 PUBLIC KEY ----

To flush authorized client keys:

router{}flush ssh authorized-key

SSH client

The SSH client enables a user to import or export files via the SCP protocol, and to log in to a remote SSH server.

Managing SSH client user key pairs

To use public key authentication, a user key pair must be created on Turbo Router.

To generate the SSH client user key pairs for all supported cryptographic algorithms:

router{}ssh user-key all

It is also possible to generate the SSH client user key pairs for a specific cryptographic algorithm:

router{}ssh user-key (dsa|ecdsa|ed25519|rsa|rsa1|all)

Note

  • ed25519 keys cannot be displayed in pkcs8 format.
  • rsa1 keys cannot be displayed in rfc4716 format.

Examples

Generate an RSA user key pair:

router{}ssh user-key rsa
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:YQH+0AR15jjZdqJuxVgF8UzV0xyrIfhSZS3tHING8rU root@router
The key's randomart image is:
+---[RSA 2048]----+
|      o++ =++===o|
|     . o O.==+.**|
|      o B.*o=o+E+|
|       + Ooo. oo |
|        S.o. .   |
|       . ..      |
|        o        |
|       .         |
|                 |
+----[SHA256]-----+

Generate an RSA1 user key pair:

router{}ssh user-key rsa1
Generating public/private rsa1 key pair.
Your identification has been saved in /root/.ssh/identity.
Your public key has been saved in /root/.ssh/identity.pub.
The key fingerprint is:
SHA256:sqpIS/fpgy1eqdrhxw6JqTQcE0HGor/Z4MRh9f0/4c4 root@router
The key's randomart image is:
+---[RSA1 2048]---+
|o+               |
|o.. .            |
|o. . . .         |
|. +   . .        |
| * .  . S.       |
|. X . .o  . .    |
| @ X+o.    o .   |
|=.XoB*.    .+    |
|oo+**=.    .E.   |
+----[SHA256]-----+

Generate user key pairs for all supported cryptographic algorithms:

router{}ssh user-key all
/root/.ssh/identity already exists
/root/.ssh/id_rsa already exists
Generating public/private dsa key pair.
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:WQFaLPF/xWxSQUxoaat+z8vDTLIfT2ViwU8xa5K2ROM root@router
The key's randomart image is:
+---[DSA 1024]----+
|      .oo..  O=+ |
|      .+.  .B=+ +|
|      ... .o.EBo.|
|         +  ++++ |
|        S ....o +|
|          .....o.|
|         .   *. .|
|          . oo++ |
|           . o*o.|
+----[SHA256]-----+
Generating public/private ecdsa key pair.
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:lCe3ohfu5YMR8mgwjC/ktgam8h4u3di6mSdDhKMdOQg root@router
The key's randomart image is:
+---[ECDSA 256]---+
|                 |
|E        .       |
|.o +    + o      |
|+ B + ...+ .     |
|.* + o +S..      |
|o.* . oooo       |
|o=.* .. oo.      |
|+.B++  o.o.      |
|.=O*    . ..     |
+----[SHA256]-----+
Generating public/private ed25519 key pair.
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:Na+qy0LVWG3NsPaujkeeE6u8AbFELESDZwK293EV8zI root@router
The key's randomart image is:
+--[ED25519 256]--+
|.o ++..  =o+     |
|. + +o. o =.o    |
| . = oo= E=.     |
|  . ..=o.oo+     |
|     oo S   o    |
|    .  .  oo     |
|   .    .o.+.    |
|    .. . +*.     |
|     .+o*=o.     |
+----[SHA256]-----+

Once a user key pair is generated, the public key can be displayed, to be installed on a remote SSH server as an authorized key for instance.

To display all SSH host public keys:

router{}display ssh user-key all

One can choose which SSH user public keys to display and the format in which they must be displayed (openssh (default), RFC4716 and PKCS #8).

router{}display ssh user-key (dsa|ecdsa|ed25519|rsa|rsa1|all) [openssh|rfc4716|pkcs8]

Examples

Display the RSA1 user public key in default (openssh) format:

router{}display ssh user-key rsa1
# User key: rsa1
Public-key:
2048 65537 262189918493024959543983417690081066309304807831335832148393539769361
77813197756621111061531323156605192795810509422749622717311951515056510247737624
04230452810191931115124993420403734600067488525186278331915687210047827693706746
25509651497589952452304153219297116598006929461559182715868081141928002130524719
78933223095706220967631382524159670323767098819695580336610883463453703864354136
680654537151017891368288085154640257303382295373 root@router

Display the DSA user public key in RFC4716 format:

router{}display ssh user-key dsa rfc4716
# User key: dsa
Public-key:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted by root@router from OpenSSH"
AAAAB3NzaC1kc3MAAACBAOFiPhgTY6+tqPq2Qhpsdq2PVWOK1MmDYZTyA7mL6QGuPZ1086
CWq0zlRG6DSxExdvrXgggpvp/0Q1yeIpqQozUaGAiYrWA1PSW7l5NHS4XXJC/2+DB6/eXq
d9iJHSs2KdHBWCmVqYoa5qhglvLf4nE9LCcE99EQTLB6TDUH1U8hAAAAFQCVRy342624ju
wL3STe1eAm3U5Y1QAAAIEA4Bu9h7XsZqHoz+rNusm+U312PwI6nPH+M+7NmTbo9tC6Oh1W
QgQ5RmBck98l1wCb/IsZYUZwq8LUT9IxPIRNagAsLi5I7xC4b4Vw+TraOjaOCzEJlDLz2E
NMQm8z2yGoxc+rjAZ/YdxBmtB8u/rA4DtcOYWyRCV+CUydft4G6cQAAACBAILKLKrMzmH8
IauRH0dGr5TumTjVOuUckkDE8jB1sGv6G0vIzGiU7QJ/cp+t1D7b6Ea8qMr7ZMRuNJNAvs
NwObatkbV4bghQY1XhwF+/u+CfamNjZo3mVDlpKfTZtA5krubdlJoZ14l1sIViQd6smhKo
0GzdpSZ6SKhp2niXJvhY
---- END SSH2 PUBLIC KEY ----

Display user public keys for for all supported cryptographic algorithms in PKCS #8 format:

router{}display ssh user-key all pkcs8
# User key: dsa
Public-key:
-----BEGIN PUBLIC KEY-----
MIIBuDCCASwGByqGSM44BAEwggEfAoGBAOFiPhgTY6+tqPq2Qhpsdq2PVWOK1MmD
YZTyA7mL6QGuPZ1086CWq0zlRG6DSxExdvrXgggpvp/0Q1yeIpqQozUaGAiYrWA1
PSW7l5NHS4XXJC/2+DB6/eXqd9iJHSs2KdHBWCmVqYoa5qhglvLf4nE9LCcE99EQ
TLB6TDUH1U8hAhUAlUct+NutuI7sC90k3tXgJt1OWNUCgYEA4Bu9h7XsZqHoz+rN
usm+U312PwI6nPH+M+7NmTbo9tC6Oh1WQgQ5RmBck98l1wCb/IsZYUZwq8LUT9Ix
PIRNagAsLi5I7xC4b4Vw+TraOjaOCzEJlDLz2ENMQm8z2yGoxc+rjAZ/YdxBmtB8
u/rA4DtcOYWyRCV+CUydft4G6cQDgYUAAoGBAILKLKrMzmH8IauRH0dGr5TumTjV
OuUckkDE8jB1sGv6G0vIzGiU7QJ/cp+t1D7b6Ea8qMr7ZMRuNJNAvsNwObatkbV4
bghQY1XhwF+/u+CfamNjZo3mVDlpKfTZtA5krubdlJoZ14l1sIViQd6smhKo0Gzd
pSZ6SKhp2niXJvhY
-----END PUBLIC KEY-----

# User key: ecdsa
Public-key:
-----BEGIN PUBLIC KEY-----
MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA
AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////
///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd
NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5
RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA
//////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABC8smoBXejoA6v1thE9SEmjF
i4ZrESCcevXWIrxauWkyp5N56YZ5HmpL7+7kTFA9HJNme3H9kWu53UCCekPXGbU=
-----END PUBLIC KEY-----

# User key: ed25519
do_convert_to_pkcs8: unsupported key type ED25519

# User key: rsa
Public-key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoiYjPzuw+45bPORgumW9
1vq/sE+XlmKvO0xNEj1wqrhOBqk2pj5wEEGcIglv1Qqr3e/br7ARgEpzX+iKPimy
qxhKC+GHZXp0SjqfqNakuG67ks+RsHUeZX2zx8Z1y6bFuH8AMlRniJQAqwZZV/i3
oeXvsNP8ogijOMSXu7Off2M1bhScNcVMnhvyPcZL4VWDSFdUuRzYn1lud1xPcSK1
3jkMSKQki+xCQq6VaLCfOX6JZtPHd1pmVTBI+OA6iI5L7WlW4r02Pl7Lq69fXZq6
tlLagBMI5osZBV9U7Bbl+XJYywsVpJ/fJv9GHNGfs35dT+lr1yaHOdrdASkbmrjk
dQIDAQAB
-----END PUBLIC KEY-----

# User key: rsa1
Public-key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz7HFrIsWEwLs1MvKi56h
Pr3tVTHnp3X9KUQ24l0FJW4smsAr0Uy3LR9JPfblqhTBqH0ZjFXLVn/X9nRyCGOd
MuzV6TkkhzWOH0E0lqiytkS36560+SgMsGed/ou0+uK6gWdnzNl1fvzpi+2wIYWP
bSyLNRZlwzRLd+jx38myGOJSqNVg0GzLHW59YL+uQeuJbeZ/6VgkRwFJ0tqSUxFq
1mc4jrAnqaf8tlF06l8RnGfOpJDk2lADBl+zqJWXZMJ56H4v+2YKj9Rit3LWl4zi
nIAtWpHLtjuq3KosstP3LjOYpsJby0PvzPKrveLL/Wm42cVzg6xe4om3HPsvCjuD
TQIDAQAB
-----END PUBLIC KEY-----

Logging in to an SSH server

To log in to a remote SSH server:

router{}ssh login [-1|-2] [USER@]HOST
-1|-2
Optional SSH protocol version
USER
Optional remote account name (default root).
HOST
DNS name or IP address of a remote SSH server.

Example

Log in to server bliss as user matt (trying SSH-2 in priority):

router{}ssh login matt@bliss
The authenticity of host 'bliss (10.16.0.36)' can't be established.
ECDSA key fingerprint is SHA256:HPIQNxdTRXHYqOWrqH7l+em4VDFXOqRsn7Gcr8PMteM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bliss,10.16.0.36' (ECDSA) to the list of known hosts
matt@bliss's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Fri Jan 29 17:55:26 2016 from bliss.dev.6wind.com
matt@bliss:~$ logout
Connection to bliss closed.

Importing or exporting via the SCP protocol

Turbo Router enables to import or export files via the SCP protocol by specifying the scp keyword in URLs. Necessary configuration of the SCP client is exactly the same as for ssh login.

Contrary to FTP URLs, the remote user password cannot be specified in SCP URLs, it must be provided interactively.

Example

Export configuration start via SCP to bliss as user matt. Name the remote file router.xml:

router{}export conf start scp://matt@bliss/router.xml

Import command file add_logs.cmd via SCP from server server.acme.com as user user. Name the local file addlogs:

router{}import file scp://user@server.acme.com/conf/add_logs.cmd addlogs

Managing SSH servers public keys (known hosts)

On first connection to a remote SSH server, the user will be prompted to accept the remote server public key as a proof of its identity:

Use the fingerprint to verify that the key provided by the server is valid (this fingerprint can be obtained offline from the administrator of the SSH server).

On subsequent connections, the ssh login command will not ask this question anymore. It will permanently trust this public key as a proof of the server’s identity.

Example

Log in to remote SSH server bliss for the first time:

router{}ssh login matt@bliss
The authenticity of host 'bliss (10.16.0.36)' can't be established.
ECDSA key fingerprint is SHA256:HPIQNxdTRXHYqOWrqH7l+em4VDFXOqRsn7Gcr8PMteM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bliss,10.16.0.36' (ECDSA) to the list of known hosts

Trusted SSH servers’ public keys may be displayed using the following command:

router{}display ssh known-host HOST [openssh|rfc4716|pkcs8]

Examples

Display known server 10.16.0.1’s public key in default (openssh) format:

router{}display ssh known-host 10.16.0.1
# Known host: 10.16.0.1
Fingerprint: SHA256:LhdYBCH5lw7Ef/IaBVcPqVMBgATLYqwQLTNW2KXMcAg
Public-key:
1024 35 135097880682960376120352522892324175422494702327159278618474306837950529
79200126262779691105930246944252566482291720074528322541869927390676435567984851
18243223442079465429937086103051071572056060999343009593253903287862402235104621

Display known server bliss’s public key in PKCS #8 format:

router{}display ssh known-host bliss pkcs8
# Known host: bliss
Fingerprint: SHA256:HPIQNxdTRXHYqOWrqH7l+em4VDFXOqRsn7Gcr8PMteM
Public-key:
-----BEGIN PUBLIC KEY-----
MIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA
AAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA////
///////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMVAMSd
NgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5
RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA
//////////+85vqtpxeehPO5ysL8YyVRAgEBA0IABODJzOaxX07KVtgg8eNqhkSl
B2bddghliecrCgvj2QhQOYC960Po7r7thajMXJo3AZYgPZllx38i0YD4DmB2fSM=
-----END PUBLIC KEY-----

When trying to connect to an SSH server that changed key pairs, the following message is displayed:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

And the connection is aborted. The old server public key must be removed from known hosts database.

To remove a known SSH server from the database:

router{}delete ssh known-host HOST

To remove all known SSH servers from the database:

router{}flush ssh known-host

Example

Try to log in to a known SSH server that changed its key pair:

router{}ssh login 10.16.0.1
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA1 host key has just been changed.
The fingerprint for the RSA1 key sent by the remote host is
SHA256:LhdYBCH5lw7Ef/IaBVcPqVMBgATLYqwQLTNW2KXMcAg.

You must delete the old key (from 10.16.0.55) to accept the new one.
Host key verification failed.

router{}delete ssh known-host 10.16.0.55

router{}ssh login 10.16.0.55
The authenticity of host '10.16.0.55 (10.16.0.55)' can't be established.
RSA key fingerprint is SHA256:HPIQNxdTRXHYqOWrqH7l+em4VDFXOqRsn7Gcr8PMteM.

Are you sure you want to continue connecting (yes/no)?