Manual Chapter : Managing SSH Profiles in Shared Security

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

About SSH profiles

You can configure SSH profiles to manage SSH connections. Once the SSH profile is created, you assign it to a virtual server. You enable logging for SSH proxies using logging profiles.

You use the BIG-IQ® Centralized Management system to manage SSH profiles for BIG-IP® devices running version 12.1.1 HF1, or later. For additional details about SSH proxy security, refer to the BIG-IP documentation.

Create SSH profiles

You create SSH proxy profiles to manage user access through SSH connections. This includes selecting what commands are available to users within an SSH connection.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Shared Security from the top menu bar, and then from the list on the left, click SSH Profiles.
  4. Click Create.
    The SSH Profiles - New Item screen opens with the Properties tab displayed.
  5. In the Name field, type a name for the SSH profile.
  6. In the Description field, type an optional description for the SSH profile.
  7. If needed, change the default Common partition in the Partition field.
    The partition with that name must already exist on the BIG-IP device. No whitespace is allowed in the partition name.
  8. In the Timeout field, if the default value of 0 is not appropriate, type how long, in seconds, before the connection times out.
  9. Click Save & Close to save the SSH profile and return to the SSH Profiles screen.
The SSH profile has been created.
You add SSH proxy permissions and authentication keys to the SSH profile, as needed, to make it complete. Once complete, you can add the SSH profile to an appropriate virtual server.

Configure SSH proxy permissions

You must create an SSH profile before you can configure the permissions for that profile.
You use the SSH Proxy Permissions tab to configure rules for SSH proxy permissions for the SSH profile. These rules specify what channel actions are allowed for all users and for selected users. A single SSH connection may contain multiple channels and actions, such as Shell, SCP Up, and others.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Shared Security from the top menu bar, and then from the list on the left, click SSH Profiles.
  4. Click the name of the SSH profile on which you want to configure permissions.
  5. Click the SSH Proxy Permissions tab, and click Create Rule.
    Each SSH profile has the rule DEFAULT ACTIONS defined which initially allows all listed permissions for all users with no logging enabled. You can modify the permission and logging options for the DEFAULT ACTIONS rule. Review the DEFAULT ACTIONS rule before you create a new rule for specific users.
    A new row appears in the table of rules. The row contains a rule template, including defaults, for the new rule.
  6. Click the name of the rule to edit the default rule properties.
  7. In the Name field, type a more meaningful name for the rule.
  8. Create the list of SSH user accounts handled by the rule, by adding and removing those accounts from the Users column.
    • Add a new SSH user account to the list by typing the account name in the empty Users field, and then clicking + to the right of that field.
    • Delete an existing SSH user account from the list by clicking X to the right of the user account.
  9. Review and, if needed, modify each SSH channel action. You can set each of the SSH channel actions listed in the table columns (such as Shell, or Sub System) to one of these options:
    • Allow permits the session to be set up for the SSH channel action. This is the default.
    • Disallow denies an SSH channel action, and sends a command not accepted message. Note that many SSH clients disconnect when this occurs.
    • Terminate ends an SSH connection by sending a reset message when a channel action is received.
  10. To enable logging for any action, select the Log check box below the SSH channel action.
  11. Review your settings, and click Save.
The SSH proxy permissions are defined for the SSH profile.
If not already defined, you can now configure the authentication keys to complete the SSH profile.

Configure SSH authentication keys

You must create an SSH profile before you can configure the authentication keys for that profile.
You use the Key Management tab to configure authentication key information for the SSH profile, such as proxy client authentication, proxy server authentication, and real server authentication.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Shared Security from the top menu bar, and then from the list on the left, click SSH Profiles.
  4. Click the name of the SSH profile on which you want to configure authentication keys.
  5. Click the Key Management tab and click Add.
    A popup screen opens where you supply authentication key information.
  6. In the Name field, type a name for the authentication information.
  7. Supply the public, and if needed, private keys for the authentication types to be used in the fields provided.
    Proxy client authentication and Proxy server authentication require both a public and a private key. Real server authentication requires only a public key. Refer to the BIG-IP®AFM documentation on how to generate and use these keys.
  8. Click Add to add the new authentication information and close the popup screen.
  9. Review your settings, and click Save.
The authentication keys are defined for the SSH profile.
If not already defined, you can now configure the SSH proxy permissions to complete the SSH profile.

Delete SSH profiles

An SSH profile must be unused by any virtual server before you can delete it.
You can delete obsolete SSH profiles that are no longer used to avoid clutter in the user interface.
  1. Log in to the BIG-IQ® Centralized Management system with your user name and password.
  2. At the top left of the screen, select Network Security from the BIG-IQ menu.
  3. Click Shared Security from the top menu bar, and then from the list on the left, click SSH Profiles.
    The SSH Profiles screen opens.
  4. Select the check box to the left of the SSH profile to delete.
  5. Click Delete.
    The delete confirmation dialog box opens.
  6. Click Delete to confirm that you want to delete the SSH profile.
    If the SSH profile is in use by a virtual server, you cannot delete it.
If the SSH profile is not in use, it is deleted.