SSH and SFTP

With the Admin Security or JITC feature sets enabled, the Secure Shell (SSH) and related Secure Shell File Transfer (SFTP) protocols provide for the secure transfer of audit files and for the secure transfer of management traffic across the wancom0 interface.

SSH Operations

SSH Version 2.0, the only version supported on the OCSBC, is defined by a series of five RFCs.

RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers
RFC 4251, The Secure Shell (SSH) Protocol Architecture
RFC 4252, The Secure Shell (SSH) Authentication Protocol
RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
RFC 4254, The Secure Shell (SSH) Connection Protocol

RFCs 4252 and 4253 are most relevant to OCSBC operations.

The transport layer protocol (RFC 4253) provides algorithm negotiation and key exchange. The key exchange includes server authentication and results in a cryptographically secured connection that provides integrity, confidentiality and optional compression. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bitAES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a crypto-graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).

The authentication protocol (RFC 4252) uses this secure connection provided and supported by the transport layer. It provides several mechanisms for user authentication. Two modes are supported by the OCSBC: traditional password authentication and public-key authentication.

Configuring SSH Properties

The single instance ssh-config configuration element specifies SSH re-keying thresholds.

From admin mode, use the following command path to access the ssh configuration element:

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# admin-security
ORACLE(admin-security)# ssh-config
ORACLE(ssh-config)#

ssh configuration element properties are shown below with their default values

rekey-interval        60 
rekey-byte-count      31

rekey-interval—specifies the maximum allowed interval, in minutes, between SSH key negotiations
Allowable values are integers within the range 60 through 600, with a default of 60 (minutes). Shorter lifetimes provide more secure connections.

Works in conjunction with rekey-byte-count, which sets a packet-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

Retain the default value, or specify a new value.
```
ORACLE(ssh-config)# rekey-interval 20
ORACLE(ssh-config) 
```
rekey-byte-count—specifies the maximum allowed send and receive packet count, in powers of 2, between SSH key negotiations
Allowable values are integers within the range 20 (1,048,576 packets) through 31 (2,147,483,648 packets), with a default of 31 (2^31). Smaller packet counts provide more secure connections.

Works in conjunction with rekey-interval, which sets a time-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

Retain the default value, or specify a new value.
```
ORACLE(ssh-config)# rekey-packet-count 24
ORACLE(ssh-config) 
```
A sample SSH configuration appears below:
```
ORACLE(ssh-config)# rekey-interval 20 
ORACLE(ssh-config)# done 
ORACLE(ssh-config)# exit 
ORACLE(admin-security)# 
```
Specifies a key renegotiation every 20 minutes, or at the reception/transmission of 2,147,483,648 packets, whichever comes first.

Managing SSH Keys

Use the following procedure to import an SSH host key.

Importing a host key requires access to the SFTP server or servers which receive audit log transfers. Access is generally most easily accomplished with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

Use a terminal emulation program to access the SSH file system on a configured SFTP server.
Copy the server’s base64 encoded public file making sure in include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.

For OpenSSH implementations host files are generally found at /etc/ssh/ssh_host_dsa_key.pub, or etc/ssh/sss_host_rsa.pub. Other SSH implementations can differ.
From admin mode use the ssh-pub-key command to import the host key to the OCSBC.
For importing a host key, this command takes the format:
```
ssh-pub-key import known-host <name>
```
where name is an alias or handle assigned to the imported host key, generally the server name or a description of the server function.
```
ORACLE# ssh-pub-key import known-host fedallah

IMPORTANT:
    Please paste ssh public key in the format defined in rfc4716.
    Terminate the key with ";" to exit.......
```
Paste the public key with the bracketing Begin and End markers at the cursor point.
Enter a semi-colon (;) to signal the end of the imported host key.

Follow directions to save and activate the configuration.

The entire import sequence is shown below.

ORACLE# ssh-pub-key import known-host fedallah

IMPORTANT:
 Please paste ssh public key in the format defined in rfc4716.
 Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by klee@acme54"
AAAAB3NzaC1yc2EAAAABIwAAAQEA7OBf08jJe7MSMgerjDTgZpbPblrX4n17LQJgPC7clL
cDGEtKSiVt5MjcSav3v6AEN2pYZihOxd2Zzismpoo019kkJ56s/IjGstEzqXMKHKUr9mBV
qvqIEOTqbowEi5sz2AP31GUjQTCKZRF1XOQx8A44vHZCum93/jfNRsnWQ1mhHmaZMmT2LS
hOr4J/Nlp+vpsvpdrolV6Ftz5eiVfgocxrDrjNcVtsAMyLBpDdL6e9XebQzGSS92TPuKP/
yqzLJ2G5NVFhxdw5i+FvdHz1vBdvB505y2QPj/iz1u3TA/3O7tyntBOb7beDyIrg64Azc8
G7E3AGiH49LnBtlQf/aw==
---- END SSH2 PUBLIC KEY ----
;
SSH public key imported successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE# save-config
checking configuration
---------------------------------------------------------------------
...
...
...
---------------------------------------------------------------------
Save-Config received, processing.
waiting for request to finish
Request to 'SAVE-CONFIG' has Finished,
Save complete
Currently active and saved configurations do not match!
To sync & activate, run 'activate-config' or 'reboot activate'.
ORACLE# activate-config
Activate-Config received, processing.
waiting for request to finish
SD is not QOS-capable
Request to 'ACTIVATE-CONFIG' has Finished,
Activate Complete
ORACLE#

Importing SSH Keys

Use the following procedure to import an SSH public key.

Prior to using SSH-public-key-based authentication you must import a copy the public key of each user who will authenticate using this method. The public key identifies the user as a trusted entity when the Oracle SBC performs authentication.

During the SSH login, the user presents its public key to the SBC. Upon receiving the offered public key, the SBC validates it against the previously obtained trusted copy of the key to identify and authenticate the user.

Importing a public key requires access to the device on which the public key was generated, or on which it is currently stored with its associated private key. Access is generally attained with a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

Use a terminal emulation program to access the system from which the public key will be obtained.
Copy the base64 encoded public key making sure to include the Begin and End markers as specified by RFC 4716, The Secure Shell (SSH) Public Key File Format.
From admin mode use the ssh-pub-key command to import the public key to the OCSBC.
For importing a public key which will be used to authorize a user, this command takes the format:
```
ssh-pub-key import authorized-key <name> <authorizationClass>
```
- where name is an alias or handle assigned to the imported public key, often the user’s name.
- where authorizationClass optionally designates the authorization class assigned to this user, and takes the value user (the default) or admin.
To import a public key for Matilda who will be authorized for admin privileges, use the following command
```
ORACLE# ssh-pub-key import authorized-key Matilda admin 

IMPORTANT: 
  Please paste ssh public key in the format defined in rfc4716. 
  Terminate the key with ";" to exit....... 
```
Paste the public key with the bracketing Begin and End markers at the cursor point.
Enter a semi-colon (;) to signal the end of the imported host key.

Follow directions to save and activate the configuration.

The entire import sequence is shown below.

ORACLE# ssh-pub-key import authorized-key Matilda admin 

IMPORTANT: 
  Please paste ssh public key in the format defined in rfc4716. 
  Terminate the key with ";" to exit....... 

---- BEGIN SSH2 PUBLIC KEY ---- 
Comment: "1024-bit RSA, converted from OpenSSH by abhat@acme74" 
AAAAB3NzaC1yc2EAAAABIwAAAIEAxcYTV595VqdHy12P+mIZBlpeOZx9sX/mSAFihDJYdL
qJIWdiZuSmny8HZIxTIC6na62iD25mlEdyLhlYOuknkYBCU7UsLwmx4dLDyHTbrQHz3b1q
3Tb8auz97/J1p4pw39PT42CoRODzPBrXJV+OglNE/83C1y0SSJ8BjC9LEwE= 
---- END SSH2 PUBLIC KEY ----; 
SSH public key imported successfully.... 
WARNING: Configuration changed, run "save-config" command to save it 
and run "activate-config" to activate the changes 
ORACLE# save-config 
checking configuration 
---------------------------------------------------------------------
... 
... 
... 
---------------------------------------------------------------------
Save-Config received, processing. 
waiting for request to finish 
Request to 'SAVE-CONFIG' has Finished, 
Save complete 
Currently active and saved configurations do not match! 
To sync & activate, run 'activate-config' or 'reboot activate'. 
ORACLE# activate-config 
Activate-Config received, processing. 
waiting for request to finish 
SD is not QOS-capable 
Request to 'ACTIVATE-CONFIG' has Finished, 
Activate Complete 
ORACLE#

Generating an SSH Key Pair

Use the following procedure to generate an SSH key pair.

The initial step in generating an SSH key pair is to configure a public key record which will serve as a container for the generated key pair.

Navigate to the public-key configuration element.

ORACLE# configure terminal 
ORACLE(configure)# security 
ORACLE(security)# public-key 
ORACLE(public-key)#

Use the name command to provide the object name, and the show command to verify object creation.

ORACLE(public-key)# name tashtego 
ORACLE(public-key)# show public-key 
 name                  tashtego 
 type                  rsa
 size                  1024
 last-modified-by 
 last-modified-date

ORACLE(public-key)#

creates a public key record named tashtego.

Use the done command to complete object creation.

ORACLE(public-key)# done 
public-key 
name                   tashtego 
type                   rsa 
size                   1024 
last-modified-by       admin@console 
last-modified-date     2009-03-06 11:18:00 
ORACLE(public-key)#

Make a note of the last-modified-date time value.

Move back to admin mode, and save and activate the configuration.

ORACLE(public-key)# exit 
ORACLE(security)# exit 
ORACLE(configure)# exit 
ORACLE# 
ORACLE# save-config 
... 
... 
... 
ORACLE# activate-config 
... 
... 
... 
ORACLE#

Now use the ssh-pub-key generate command, in conjunction with the name of the public key record created in Step 3, to generate an SSH key pair.

For importing an SSH key pair, this command takes the format:

ssh-pub-key generate <name>

where name is an alias or handle assigned to the generated key pair, generally the client name or a description of the client function.

ORACLE# ssh-pub-key generate tashtego 
Please wait... 
public-key 'tashtego' (RFC 4716/SECSH format): 
---- BEGIN SSH2 PUBLIC KEY ---- 
Comment: "1024-bit rsa" 
AAAAB3NzaC1yc2EAAAABIwAAAIEArZEP1/WiYsdGd/Pi8V6pnSwV4cVG4U+jVOwiSwNJCC9Nk82/FKYleLZevy9D3lrZ8ytvu+sCYy0fNk4nwvz20c2N+r86kDru88JkUqpelJDx1AR718Icpr7ZaAx2L+e7cpyRSXCgbQR7rXu2H3bp9Jc0VhR2fmkclmrGAIr7Gnc=
---- END SSH2 PUBLIC KEY ---- 
SSH public-key pair generated successfully.... 
WARNING: Configuration changed, run "save-config" command to save
				it and run "activate-config" to activate the changes 
ORACLE#

Copy the base64-encoded public key. Copy only the actual public key — do not copy the bracketing Begin and End markers nor any comments. Shortly you will paste the public key to one or more SFTP servers.

Save and activate the configuration.

ORACLE# save-config 
... 
... 
... 
ORACLE# activate-config 
... 
... 
...

Return to the public-key configuration object, and select the target public key record instance.

ORACLE# configure terminal 
ORACLE(configure)# security 
ORACLE(security)# public-key 
ORACLE(public-key)# sel 
<name>: 
1: acme01 
2: acme02 
3: tashtego 

selection: 3 
ORACLE(public-key)# show 
public-key 
      name                     tashtego 
      type                     rsa 
      size                     1024 
      last-modified-by         admin@console 
      last-modified-date       2009-03-06 11:24:32 
ORACLE(public-key)#

Verify that the record has been updated to reflect key generation by examining the value of the last-modified-date field.

Copying Public Key to SFTP Server

Use the following procedure to copy a client public key to an SFTP server.

Copying the client public key to an SFTP server requires server access generally using a terminal emulation program such as PuTTY, SecureCRT, or TeraTerm.

Use a terminal emulation program to access the SSH file system on a configured SFTP server.

Copy the client key to the SFTP server.

On OpenSSH implementations, public keys are usually stored in the ~/.ssh/authorized_keys file. Each line this file (1) is empty, (2) starts with a pound (#) character (indicating a comment), or (3) contains a single public key.

Refer to the sshd man pages for additional information regarding file format.

Use a text editor such as vi or emacs to open the file and paste the public key to the tail of the authorized_keys file.

For SSH implementations other than OpenSSH, consult the system administrator for file structure details.

Use the following procedure to view an imported SSH key.

You can use the show security ssh-pub-key command to display information about SSH keys imported to the OCSBC with the ssh-pub-key command; you cannot display information about keys generated by the ssh-pub-key command.

ORACLE# show security ssh-pub-key brief
login-name:
    acme74
finger-print:
    51:2f:f1:dd:79:9e:64:85:6f:22:3d:fe:99:1f:c8:21
finger-print-raw:
    0a:ba:d8:ef:bb:b4:41:d0:dd:42:b0:6f:6b:50:97:31
login-name:
    fedallah
finger-print:
    c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5
finger-print-raw:
    ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c
ORACLE#

displays summary information for all SSH imported keys

login-name—contains the name assigned to the RSA or DSA public key when it was first imported
finger-print—contains the output of an MD5 hash computed across the base64-encoded public key
finger-print-raw—contains the output of an MD5 hash computed across the binary form of the public key

ORACLE# show security ssh-pub-key brief fedallah 
login-name: 
     fedallah 
finger-print: 
     c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5 
finger-print-raw: 
     ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c 
ORACLE#

displays summary information for a specific SSH public key (in this case fedallah)

ORACLE# show security ssh-pub-key detail fedallah 
host-name: 
     fedallah 
comment: 
     "2048-bit RSA, converted from OpenSSH by klee@acme54" 
finger-print: 
     c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5 
finger-print-raw: 
     ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c 
pub-key: 

AAAAB3NzaC1yc2EAAAABIwAAAQEA7OBf08jJe7MSMgerjDTgZpbPblrX4n17LQJgPC7clLcDGEtKSiVt5MjcSav3v6AEN2pYZihOxd2Zzismpoo019kkJ56s/IjGstEzqXMKHKUr9mBVqvqIEOTqbowEi5sz2AP31GUjQTCKZRF1XOQx8A44vHZCum93/jfNRsnWQ1mhHmaZMmT2LShOr4J/Nlp+vpsvpdrolV6Ftz5eiVfgocxrDrjNcVtsAMyLBpDdL6e9XebQzGSS92TPuKP/yqzLJ2G5NVFhxdw5i+FvdHz1vBdvB505y2QPj/iz1u3TA/3O7tyntBOb7beDyIrg64Azc8G7E3AGiH49LnBtlQf/aw==

modulus: (256) 
ECE05FD3C8C97BB3123207AB8C34E06696CF6E5AD7E27D7B2D02603C2EDC94B703184B4A4A256DE4C8DC49ABF7BFA004376A5866284EC5DD99CE2B26A68A34D7D924279EACFC88C6B2D133A9730A1CA52BF66055AAFA8810E4EA6E8C048B9B33D803F7D4652341308A6511755CE431F00E38BC7642BA6F77FE37CD46C9D64359A11E66993264F62D284EAF827F365A7EBE9B2FA5DAE8955E85B73E5E8957E0A1CC6B0EB8CD715B6C00CC8B0690DD2FA7BD5DE6D0CC6492F764CFB8A3FFCAACCB2761B9355161C5DC398BE16F747CF5BC176F079D39CB640F8FF8B3D6EDD303FDCEEEDCA7B4139BEDB783C88AE0EB803373C1BB137006887E3D2E706D9507FF6B
exponent: (1) 
23 

ORACLE#

displays detailed information for specific SSH public key (in this case fedallah, an RSA key)

host-name—contains the name assigned to the RSA key when it was first imported
finger-print—contains the output of an MD5 hash computed across the base64-encoded RSA public key
finger-print-raw—contains the output of an MD5 hash computed across the binary form of the RSA public key
public key—contains the base64-encoded RSA key
modulus—contains the hexadecimal modulus (256) of the RSA key
exponent—(also known as public exponent or encryption exponent) contains an integer value that is used during the RSA key generation algorithm. Commonly used values are 17 and 65537. A prime exponent greater than 2 is generally used for more efficient key generation.

ORACLE# show security ssh-pub-key detail acme74 
host-name: 
     acme74 
comment: 
     DSA Public Key 
finger-print: 
     51:2f:f1:dd:79:9e:64:85:6f:22:3d:fe:99:1f:c8:21 
finger-print-raw: 
     0a:ba:d8:ef:bb:b4:41:d0:dd:42:b0:6f:6b:50:97:31 
pub-key: 

AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbETW6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdHYI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cvwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAAvioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACBAN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HSn24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
				
p: (128) 
F63C64E1D8DB2152240E97602F47470347C5A7A1BF1E70389D2BCD9773A12397C5B1135BA4E81EFF03D5427FCFECC7A3D162928E57C9B6670C86810C7B5B950F98A7B4ADC7296D1E75C5D582DF283D46E13E8962B747608D783A6D5E83D7B836709195E6AAA193C5DD419F6626BA6D7AC64D07F7809AB67BB622B24FE017ED55
q: (20) 
DBF03E5CBF01D64D90CF7D7D03DACF5177B341BD 
g: (128) 
94DF76F816FB0F828B624DC8C116D76E5C177643E0800E297DDB56F6F19F274FD11DDF8D8C1E1EA350FED1D8B1EAD5F060637B3CA4B947F1573CDC311CF6A9723F6E2F5267D80590D9DB249DFFA2FC5000BE2A143E499D31CD33B96A12384B12361543B57DD676F55C19C06AF5C7ADCEBB4E2963A8709989F34A9A7714D11ED5
pub_key: (128) 
DEC263E28ABF5807A51CC5C1D426EC72BD6DBD4B028D8AC1AA179DA74581EA6D34141E4971B5BCEF89B2FA6154C04973D1D29F6E1562D62DB0CBBBE2A5EF8988F3895B9C58A8E32846F5D63BAA9C5D060E50775559B11CB9B19C0CFAE3758AE3667B74B339B18DBDA2E7B3BF85F3D8FB8C721E5518F3FE083AB308CE25A16815

ORACLE#

displays detailed information for specific SSH public key (in this case acme74, a DSA key)

host name—contains the name assigned to the DSA public key when it was first imported
comment—contains any comments associated with the DSA key
finger-print—contains the output of an MD5 hash computed across the base64-encoded DSA public key
finger-print-raw—contains the output of an MD5 hash computed across the binary form of the DSA public key
public key—contains the base64 encoded DSA key
p—contains the first of two prime numbers used for key generation
q—contains the second of two prime numbers used for key generation
g—contains an integer that together with p and q are the inputs to the DSA key generation algorithm

ORACLE# show security ssh-pub-key detail 
... 
... 
... 
ORACLE#

displays detailed information for all SSH imported keys.

SFTP Operations

SFTP performs all operations over an encrypted SSH connection. It may also use many features of SSH, such as public key authentication and compression. SFTP connects and logs into the specified host, then enters an interactive command mode.

Once in interactive mode, SFTP understands a set of commands similar to those of FTP. Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces.

The following lists supported SFTP commands:

bye—Quit SFTP.
cd pathChange—Remote directory to path.
lcd pathChange—Local directory to path.
chgrp grp path—Change group of file path to group. group must be a numeric GID.
chmod mode path—Change permissions of file path to mode.
chown own path—Change owner of file path to own. own must be a numeric UID.
dir (or ls)—List the files in the current directory.
exit—Quit SFTP.
get [flags] remote-path [local-path]—Retrieve the remote-path and store it on the local machine. If the local path name is not specified, it is given the same name it has on the remote machine. If the -P flag is specified, then the file's full permission and access time are copied too.
help—Display help text.
lcd—Change the directory on the local computer.
lls—See a list of the files in the current directolls [ls-options [path]Display local directory listing of either path or current directory if path is not specified.
lmkdir path—Create local directory specified by path.
ln oldpath newpath—Create a symbolic link from oldpath to newpath.
lpwd—Print local working directory.
ls [path]—Display remote directory listing of either path or current directory if path is not specified.
lumask umask—Set local umask to umask.
mkdir path—Create remote directory specified by path.
put [flags] local-path [local-path]—Upload local-path and store it on the remote machine. If the remote path name is not specified, it is given the same name it has on the local machine. If the -P flag is specified, then the file's full permission and access time are copied too.
pwd—Display remote working directory.
quit—Quit SFTP.
rename oldpath newpath—Rename remote file from oldpath to newpath.
rmdir path—Remove remote directory specified by path.
rm path—Delete remote file specified by path.
symlink oldpath newpath—Create a symbolic link from oldpath to newpath.
! command—Execute command in local shell.
!—Escape to local shell.
?—Synonym for help.

Note:

Command availability is subject to Oracle authorization/privilege classes.

Some SFTP commands are available to only certain users; some commands are available to no users.

RADIUS file access privileges are specified by the Acme-User-Privilege VSA, which can take the following values.

sftpForAudit—allows audit log access
sftpForAccounting—allows system logs to be accessed
sftpForHDR—allows HDR (Historical Data Records) to be accessed
sftpForAll—allows all logs to be accessed