security ssh profile
security ssh profile(1) BIG-IP TMSH Manual security ssh profile(1)
NAME
profile - Configures ssh profile.
MODULE
security ssh
SYNTAX
Modify the profile component within the security ssh module using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
actions [add | delete | modify] {
[ [name] ] {
shell-action { control [allow | disallow | terminate] log [no | yes] }
sub-system-action { control [allow | disallow | terminate] log [no | yes] }
sftp-up-action { control [allow | disallow | terminate] log [no | yes] }
sftp-down-action { control [allow | disallow | terminate] log [no | yes] }
scp-up-action { control [allow | disallow | terminate] log [no | yes] }
scp-down-action { control [allow | disallow | terminate] log [no | yes] }
rexec-action { control [allow | disallow | terminate] log [no | yes] }
local-forward-action { control [allow | disallow | terminate] log [no | yes] }
remote-forward-action { control [allow | disallow | terminate] log [no | yes] }
x11-forward-action { control [allow | disallow | terminate] log [no | yes] }
agent-action { control [allow | disallow | terminate] log [no | yes] }
other-action { control [allow | disallow | terminate] log [no | yes] }
}
}
description [string]
identity-users [add | delete | replace-all-with] {
[identity user list names...]
}
identity-groups [add | delete | replace-all-with] {
[identity group list names...]
}
}
}
rules none
actions [add | delete | modify] {
[ [name] ] {
options:
shell-action { control [allow | disallow | terminate] log [no | yes] }
sub-system-action { control [allow | disallow | terminate] log [no | yes] }
sftp-up-action { control [allow | disallow | terminate] log [no | yes] }
sftp-down-action { control [allow | disallow | terminate] log [no | yes] }
scp-up-action { control [allow | disallow | terminate] log [no | yes] }
scp-down-action { control [allow | disallow | terminate] log [no | yes] }
rexec-action { control [allow | disallow | terminate] log [no | yes] }
local-forward-action { control [allow | disallow | terminate] log [no | yes] }
remote-forward-action { control [allow | disallow | terminate] log [no | yes] }
x11-forward-action { control [allow | disallow | terminate] log [no | yes] }
agent-action { control [allow | disallow | terminate] log [no | yes] }
other-action { control [allow | disallow | terminate] log [no | yes] }
}
}
auth-info [add | delete | modify] {
[ [name] ] {
options:
proxy-server-auth {
private-key [string]
public-key [string]
}
proxy-client-auth {
private-key [string]
public-key [string]
}
real-server-auth {
public-key [string]
}
}
}
timeout [integer]
lang-env-tolerance [any | common | default-value | none]
edit profile
options:
all-properties
non-default-properties
DISPLAY
list profile
show running-config profile
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the profile component to configure a shareable and reusable set of ssh profile rules.
EXAMPLES
create profile profile1 auth-info add {
auth1 {
proxy-server-auth {
private-key "abcd"
public-key "1234"
}
proxy-client-auth {
private-key "efgh"
public-key "5678"
}
} }
Creates a ssh profile with auth-info of client facing auth and server facing auth.
modify profile profile1 actions add {
action1 {
sftp-up-action {
control disallow log yes
}
shell-action {
control terminate log yes
}
} }
Modify existing profile by adding default actions of shell action and sftp action.
modify profile profile1 rules add {
rule1 {
actions add {
action1 {
sftp-up-action {
control disallow log yes
}
shell-action {
control terminate log yes
}
}
}
identity-groups add {
"grp1" "grp2"
}
identity-users add {
"usr1" "usr2"
}
description "rule1 and action1"
} }
Modify existing profile by adding rule1 to it with command actions and user and group identity info.
list profile
Displays the current list of profile rules.
OPTIONS
description
User defined profile description.
timeout
User defined timeout value.
lang-env-tolerance
Set the tolerance level for LANG environment variable settings. Only applicable when "other-action" is set to
"disconnect" or "terminate". "common" allows only "en_US.UTF-8", while "any" allows any standard locale.
rules
Adds, deletes, or replaces a profile rule.
description
User defined rule description.
actions
Specifies the rule actions that the system takes when a profile is applied.
shell-action
Specifies the rule shell action info.
sub-system-action
Specifies the rule sub system info.
sftp-up-action
Specifies the rule sftp up action info.
sftp-down-action
Specifies the rule sftp up action info.
scp-up-action
Specifies the rule scp up action info.
scp-down-action
Specifies the rule scp up action info.
rexec-action
Specifies the rule rexec action info.
local-forward-action
Specifies the rule local forward action info.
remote-forward-action
Specifies the rule local forward action info.
x11-forward-action
Specifies the rule x11 forward action info.
agent-action
Specifies the rule agent action info.
other-action
Specifies the rule other action info.
identity-users
Specifies the rule users identity.
identity-groups
Specifies the rule groups identity.
actions
Specifies the profile default actions that the system takes when a profile is applied.
shell-action
Specifies the rule shell action info.
sub-system-action
Specifies the rule sub system info.
sftp-up-action
Specifies the rule sftp up action info.
sftp-down-action
Specifies the rule sftp up action info.
scp-up-action
Specifies the rule scp up action info.
scp-down-action
Specifies the rule scp up action info.
rexec-action
Specifies the rule rexec action info.
local-forward-action
Specifies the rule local forward action info.
remote-forward-action
Specifies the rule local forward action info.
x11-forward-action
Specifies the rule x11 forward action info.
agent-action
Specifies the rule agent action info.
other-action
Specifies the rule other action info.
auth-info
Specifies the authentication info of public key and private key for this profile.
proxy-server-auth
Specifies a set of private/public keys that can be used to authenticate proxy (BigIP) host server to the real
clients during the initial key exchange of the SSH session between real clients and BigIP acting as a proxy
server. A SSH Profile MUST have at least 1 set of private/public key configured for proxy server authentication.
private-key
Specifies the private key of the authentication algorithm (RSA, DSS etc) used for the proxy server
authentication.
public-key
Specifies the public key of the authentication algorithm (RSA, DSS etc) used for the proxy server
authentication.
proxy-client-auth
Specifies a set of private/public keys that can be used to support 'publicKey' based client authentication as
defined in RFC 4252 (The Secure Shell (SSH) Authentication Protocol). Note that this is optional in a SSH profile
and is only required to support 'publicKey' based client authentication (as defined in section 7 of the above
mentioned RFC).
private-key
Specifies the private key of the authentication algorithm (RSA, DSS etc) used for the proxy client
authentication.
public-key
Specifies the public key of the authentication algorithm (RSA, DSS etc) used for the proxy client
authentication.
real-server-auth
Specifies public key that can be used to authenticate real host server to the proxy (BigIP) client during the
initial key exchange of the SSH session between BigIP acting as a proxy client and a real ssh (backend) server.
If user does not configure any public key for the real server authentication in a SSH profile, all (backend) real
servers are always trusted.
public-key
Specifies the public key of the authentication algorithm (RSA, DSS etc) used for the real server
authentication.
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights reserved.
BIG-IP 2017-10-30 security ssh profile(1)