SSH and SFTP

With the Admin Security or JITC feature sets enabled, the Secure Shell (SSH) and related Secure Shell File Transfer (SFTP) protocols provide for the secure transfer of audit files and for the secure transfer of management traffic across the wancom0 interface.

SSH Operations

SSH Version 2.0, the only version supported on the SBC, is defined by a series of five RFCs.

RFC 4250, The Secure Shell (SSH) Protocol Assigned Numbers
RFC 4251, The Secure Shell (SSH) Protocol Architecture
RFC 4252, The Secure Shell (SSH) Authentication Protocol
RFC 4253, The Secure Shell (SSH) Transport Layer Protocol
RFC 4254, The Secure Shell (SSH) Connection Protocol

RFCs 4252 and 4253 are most relevant to SBC operations.

The transport layer protocol (RFC 4253) provides algorithm negotiation and key exchange. The key exchange includes server authentication and results in a cryptographically secured connection that provides integrity, confidentiality and optional compression. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bitAES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a crypto-graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).

The authentication protocol (RFC 4252) uses this secure connection provided and supported by the transport layer. It provides several mechanisms for user authentication. Two modes are supported by the SBC: traditional password authentication and public-key authentication.

Configuring SSH Properties

The single instance ssh-config configuration element specifies SSH re-keying thresholds.

From admin mode, use the following command path to access the ssh configuration element:
```
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ssh-config
ORACLE(ssh-config)#
```
ssh configuration element properties are shown below with their default values
```
rekey-interval        60 
rekey-byte-count      31
```
rekey-interval—specifies the maximum allowed interval, in minutes, between SSH key negotiations
Allowable values are integers within the range 60 through 600, with a default of 60 (minutes). Shorter lifetimes provide more secure connections.

Works in conjunction with rekey-byte-count, which sets a packet-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

Retain the default value, or specify a new value.
```
ORACLE(ssh-config)# rekey-interval 20
ORACLE(ssh-config) 
```
rekey-byte-count—specifies the maximum allowed send and receive packet count, in powers of 2, between SSH key negotiations
Allowable values are integers within the range 20 (1,048,576 packets) through 31 (2,147,483,648 packets), with a default of 31 (2^31). Smaller packet counts provide more secure connections.

Works in conjunction with rekey-interval, which sets a time-based threshold, to trigger an SSH renegotiation. If either trigger is activated, an SSH renegotiation is begun.

Retain the default value, or specify a new value.
```
ORACLE(ssh-config)# rekey-packet-count 24
ORACLE(ssh-config) 
```
A sample SSH configuration appears below:
```
ORACLE(ssh-config)# rekey-interval 20 
ORACLE(ssh-config)# done 
ORACLE(ssh-config)# exit 
ORACLE(security)# 
```
Specifies a key renegotiation every 20 minutes, or at the reception/transmission of 2,147,483,648 packets, whichever comes first.

Manage SSH Keys

Use the ssh-key command to manage SSH keys for the SBC.

Add an SSH Authorized Key

To authenticate to the SBC using public key authentication rather than a password, use the ssh-key command with the authorized-key import argument.

On the SSH client, convert the public key of the SSH client into RFC 4716 format.

Note:

Valid RSA key sizes are 2048, 3072, or 4096 bytes. The only valid DSA key size is 1024 bytes.

To do this on Oracle Linux, use the ssh-keygen command.

[bob@client ~]$ ssh-keygen -e -f .ssh/id_rsa.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by bob@client from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----
[user@client ~]$

On the SBC, use the ssh-key command with the authorized-key import argument.

The command syntax:

ssh-key authorized-key import <name> <class>

The <name> parameter is the identifier for the SSH client. The <class> is one of the two authorization classes on the SBC: either user or admin.

ORACLE# ssh-key authorized-key import bob admin    

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by bob@client from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----;

Note:

If the Admin Security entitlement is enabled, the SSH client keys must be at least 2048 bits.

Note:

Oracle recommends keys be at least 2048 bits.

Save and activate the configuration.

Export an Authorized Key

To export a previously imported SSH public key, use the ssh-key command with the authorized-key export argument.

List the available ssh-key elements.

ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    logserver
        type                                    known-host
        encryption-type                         rsa
        size                                    2048
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36

For any ssh-key element whose type is authorized-key, use the ssh-key authorized-key export <name> command to export the user's public key.

ORACLE# ssh-key authorized-key export bob
public-key 'bob' (RFC 4716/SECSH format):

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit rsa"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----

ORACLE#

Delete an Authorized Key

To delete a previously imported SSH public key, use the ssh-key command with the authorized-key delete argument.

List the available ssh-key elements.

ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    logserver
        type                                    known-host
        encryption-type                         rsa
        size                                    2048
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36

For any ssh-key element whose type is authorized-key, use the ssh-key authorized-key delete <name> command to delete the user's public key.

ORACLE# ssh-key authorized-key delete bob    
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE#

Save and activate the configuration.

Add an SSH Known Host Key

For the SBC to authenticate over SSH to an SFTP server, the public key of the SFTP server needs to be imported into the known_hosts file of the SBC.

Convert the public key of the SFTP server into RFC 4716 format.

There are two ways to do this.

SSH to the SFTP server and run the ssh-keygen command on the server's host key.

For OpenSSH implementations, host keys are generally found at /etc/ssh/ssh_host_rsa_key.pub. Other SSH implementations may differ. To do this on Oracle Linux, use the ssh-keygen command.

[user@logserver ~]$ ssh-keygen -e -f /etc/ssh/ssh_host_rsa_key.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@logserver from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDwifpOpBKoDhzJXglzdoOfZ39TiU7jhygbPGQTw0
j3zISW57PRbSulVw1hBHwqJwZZc6nr1JXaiHN7ieYT/96QCXQ56JH9Lcjej6iHplfhJO44
qIgZIlRtD0e5y6YBzDgcI3T8J6n0jHwksvwKttObk8SoZl1mqE4xPXSiTVB1PzMNxF0dWV
rgvGK227PsOfPLypL3RhnmqFbVRIhMKW7a80p7I+T6mAoq8UdzejbyhEK+e0Ge3F9i1g49
oHWHNnSvU64F1ADybbZrclvvt8vofIzraGMBRjLs5Yl8bbdId/4UBci1fONmIUzxVse5NM
PwNj0cjvNPS1/LOcKUgQxN
---- END SSH2 PUBLIC KEY ----
[user@logserver ~]$

Run the ssh-keyscan command from a Linux client and convert that key with the ssh-keygen command.
```
ssh-keyscan -t rsa 10.0.0.6 | sed 's/.*ssh/ssh/' > key.pub
ssh-keygen -ef key.pub
```

On the SBC, use the ssh-key command to import the host key of the SFTP server into the known_hosts file of the SBC.
The command syntax:
```
ssh-key known-host import <name>
```
For SFTP push to work properly, the <name> parameter must be the IP address or hostname of the SFTP server.
```
ORACLE# ssh-key known-host import 10.0.0.12
```
Paste the public key with the bracketing Begin and End markers at the cursor point.

Enter a semi-colon (;) to signal the end of the imported host key.

The entire import sequence is shown below.

ORACLE# ssh-key known-host import 10.0.0.12

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@logserver from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDJXglzdiU7jhywifpOpBKoDhoOfZ39TzgbPGQTw0
j357PRbSulHwaiHN7zEVw1hBISWie6nrQ56JH9Lcjej1JX96QCYT/qJwZZcX6iHplfhJO4
q8J6nIlRtD0e5y60jHwgZYBzDksvwKk8SSiTVB10ttObdWVoZl1mqPzMNxFE4xPXIgcI3T
rgvGKR27PsOfPLy80p7IpLhnmqFjbyhEK+e0KW7a+T6mbV23RIhMzeAoq8UdGe3F9i1g49
oHWs5mDybHNnBRjLbZrcSvU64F1AMlvvtUzxVse5NM8vofIzraGIYl8bbdId/4UBci1fON
PwNPS1/LONj0cjvcKUgQxN
---- END SSH2 PUBLIC KEY ----;

SSH public key imported successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes

Import both the RSA key and the DSA key if you are not sure which one the SFTP server uses.

Save and activate the configuration.

Delete an SSH Known Hosts Key

Delete expired SSH keys from the known_hosts file of the SBC.

List the available ssh-key elements.

ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    10.0.0.12
        type                                    known-host
        encryption-type                         rsa
        size                                    2048
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36

Use the ssh-key command to remove a key whose type is known-host.
The command syntax:
```
ssh-key known-host delete <name>
```
The <name> parameter is an alias or handle assigned to the imported host key.
```
ORACLE# ssh-key known-host delete 10.0.0.12
```
Save and activate the configuration.

Add a Certificate Authority Key

When authenticating with certificates, clients send certificates to establish their identity and authorization. The public key of the Certificate Authority (CA) used for signing these client certificates must be imported into the SBC.

On the server you'll use for a certificate authority, create a keys directory for storing keys.
```
[user@host ~]$ mkdir keys
[user@host ~]$ cd keys/
```
Generate an SSH key pair to use for signing certificates.
```
[user@host keys]$ ssh-keygen -t rsa -b 4096 -f ./ca_key
```

Export the CA key to RFC 4716 format.

[user@host keys]$ ssh-keygen -ef ./ca_key.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by user@host from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----
[user@host keys]$

Import the CA key into the SBC using the ssh-key command with the ca-key import argument.

The command syntax:

ssh-key ca-key import <key-name> <class>

The <key-name> parameter is the key identifier or key ID that will be used when signing client keys as the value of the -I argument in the ssh-keygen command. The <class> is one of the two authorization classes on the SBC: either user or admin.

ORACLE# ssh-key ca-key import rootCA admin    

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by user@server from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----;

Note:

If the Admin Security entitlement is enabled, the key must be at least 2048 bits.

Save and activate the configuration.
For each SSH client, copy the client's public key into the keys directory.
```
[user@host keys]$ scp acme@client1.com:.ssh/id_rsa.pub ./id_rsa.pub
```
Sign the key with the ssh-keygen command.
Use the following arguments:
- Use -s to identify the private key of the CA key used to sign.
- Use -z to specify the serial number to be embedded in the certificate to distinguish this certificate from others signed by the same CA.
- Use -n to specify the username of the client to be included in the certificate.
- Use -I to specify the key ID. This key ID must match the <key-name> specified when importing the signing CA key into the SBC.
- Use -V to set the validity interval. To set the validity for one year, starting the previous day, use -1d:+52w.
Important:
The username passed with the -n argument of the ssh-keygen command must match the username used to authenticate.

Note:
If the type attribute of the authentication element is set to local, the username passed with the -n argument must be set to admin.
```
[user@host keys]$ ssh-keygen -s ca_key -z 1 -n admin -I rootCA -V -1d:+52w id_rsa.pub
Signed user key id_rsa.pub: id "rootCA" serial 1 for admin valid from 2020-06-21T09:26:41 to 2021-06-21T09:26:41
[user@host keys]$ 
```

Copy the certificate to the client's .ssh directory.

[user@host keys]$ scp id_rsa-cert.pub acme@client1.com:.ssh/

Verify the SSH client can connect with the certificate.

Delete a Certificate Authority Key

To delete a previously imported Certificate Authority (CA) key, use the ssh-key command with the ca-key delete argument.

List the available ssh-key elements.

ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    rootCA
        type                                    ca-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36

For any ssh-key element whose type is ca-key, use the ssh-key ca-key delete <key-name> command to delete the CA key.

ORACLE# ssh-key ca-key delete rootCA    
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE#

Save and activate the configuration.

Revoke a User Key

To revoke access to a specific user whose public key was signed by your CA key, import the user's public key into the revocation list.

On the SBC, use the ssh-key command with the ca-user-revoke import argument.

The command syntax:

ssh-key ca-user-revoke import <key-name>

The <key-name> parameter uniquely identifies the key you want to revoke.

ORACLE# ssh-key ca-user-revoke import bob

IMPORTANT:
        Please paste SSH public key in the format defined in RFC 4716.
        Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "4096-bit RSA, converted by user@server from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAACAQDOTDujYoQXzjTt9I8YvJMvfSVlWZ6iDzfRx06R3l
Rj/lrjxlWDMc/Y/uEd2sJ+5wdlCnJPREOuCGbU8S6295486D1kbu76cEDxE+adca3/9+qo
7FQVugkRJBD0ZOj/3qcuKDOh6ZsalF9LaaNMPNWNiQ5n3bWBnQ1tMMEes58JvoNgjn9FOz
hbOdOe91K/OdRA0/YzrguaCA6/vE/tUP+xDD/GOu7KyvN1dsgo1vnYZLG7p8vGgt61eTyC
V6qMEkceGatQvfiBb4XZCeODtC2KBv4pbJpt1zPKOpF4XFb2LferPxAL9rsSRSUOk9tZNc
x1GM3+UUYwT9dF8bcUfomZCKd07kzPh206nZr/uCElXVtCqghgVRQW8uiFRh6ycVWY/pBq
uhPfihKHilZEahOOc08ax14XTK89ovJzjbHezaV/NghkfWpn3W7gDNJTbLbxpbrLDkJBPJ
IltJ5QqwVK/Hi+69x9CxFOkyNpxWFexHPIeq4q0liPoah42MBPAQl30bWULgBP+K0ugzqQ
cSPAhi9FMq6ZVFTmaiPX8JH8JAceswd500x9jMmV91obzTZmXAQsfVpi0asxRhfficEIfs
UJ/FHwW2p13YmDVH1AjVmCDn9T46I05Cq+ImrUBX+JAEa6yQU6R6/s7maVDqpdtkpFp0ql
CWQHHw9J1fYS4w==
---- END SSH2 PUBLIC KEY ----;

Save and activate the configuration.

The user's key is added to the revocation list. When authenticating to the SBC, the user may no longer use his or her key or certificate, even though that key was signed by the CA key.

Unrevoke a Revoked User Key

If a user key is added to the revocation list, that user will not be able to authenticate to the SBC. To delete a key from the revocation list, use the ssh-key command with the ca-user-revoke delete argument.

List the available ssh-key elements.

ORACLE# show running-config ssh-key                  
ssh-key
        name                                    bob
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.20
        last-modified-date                      2020-05-12 13:58:39
ssh-key
        name                                    alice
        type                                    authorized-key
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-12 14:23:47
ssh-key
        name                                    alice
        type                                    ca-user-revoke
        encryption-type                         rsa
        size                                    4096
        last-modified-by                        admin@10.0.0.37
        last-modified-date                      2020-05-11 15:18:36

For any ssh-key element whose type is ca-user-revoke, use the ssh-key ca-user-revoke delete <key-name> command to delete the CA key.

ORACLE# ssh-key ca-user-revoke delete alice    
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command to save it
and run "activate-config" to activate the changes
ORACLE#

Save and activate the configuration.

Once the user key is removed from the revocation list, the functionality of any existing key is restored.

SFTP Operations

SFTP performs all operations over an encrypted SSH connection. It may also use many features of SSH, such as public key authentication and compression. SFTP connects and logs into the specified host, then enters an interactive command mode.

Once in interactive mode, SFTP understands a set of commands similar to those of FTP. Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces.

The following lists supported SFTP commands:

bye—Quit SFTP.
cd pathChange—Remote directory to path.
lcd pathChange—Local directory to path.
chgrp grp path—Change group of file path to group. group must be a numeric GID.
chmod mode path—Change permissions of file path to mode.
chown own path—Change owner of file path to own. own must be a numeric UID.
dir (or ls)—List the files in the current directory.
exit—Quit SFTP.
get [flags] remote-path [local-path]—Retrieve the remote-path and store it on the local machine. If the local path name is not specified, it is given the same name it has on the remote machine. If the -P flag is specified, then the file's full permission and access time are copied too.
help—Display help text.
lcd—Change the directory on the local computer.
lls—See a list of the files in the current directolls [ls-options [path]Display local directory listing of either path or current directory if path is not specified.
lmkdir path—Create local directory specified by path.
ln oldpath newpath—Create a symbolic link from oldpath to newpath.
lpwd—Print local working directory.
ls [path]—Display remote directory listing of either path or current directory if path is not specified.
lumask umask—Set local umask to umask.
mkdir path—Create remote directory specified by path.
put [flags] local-path [local-path]—Upload local-path and store it on the remote machine. If the remote path name is not specified, it is given the same name it has on the local machine. If the -P flag is specified, then the file's full permission and access time are copied too.
pwd—Display remote working directory.
quit—Quit SFTP.
rename oldpath newpath—Rename remote file from oldpath to newpath.
rmdir path—Remove remote directory specified by path.
rm path—Delete remote file specified by path.
symlink oldpath newpath—Create a symbolic link from oldpath to newpath.
! command—Execute command in local shell.
!—Escape to local shell.
?—Synonym for help.

Note:

Command availability is subject to Oracle authorization/privilege classes.

Some SFTP commands are available to only certain users; some commands are available to no users.

RADIUS file access privileges are specified by the Acme-User-Privilege VSA, which can take the following values.

sftpForAudit—allows audit log access
sftpForAccounting—allows system logs to be accessed
sftpForHDR—allows HDR (Historical Data Records) to be accessed
sftpForAll—allows all logs to be accessed