security ssh profile
security ssh profile(1) BIG-IP TMSH Manual security ssh profile(1)
NAME
profile - Configures ssh profile.
MODULE
security ssh
SYNTAX
Modify the profile component within the security ssh module using the
syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
actions [add | delete | modify] {
[ [name] ] {
shell-action { control [allow | disallow | terminate] log [no | yes] }
sub-system-action { control [allow | disallow | terminate] log [no | yes] }
sftp-up-action { control [allow | disallow | terminate] log [no | yes] }
sftp-down-action { control [allow | disallow | terminate] log [no | yes] }
scp-up-action { control [allow | disallow | terminate] log [no | yes] }
scp-down-action { control [allow | disallow | terminate] log [no | yes] }
rexec-action { control [allow | disallow | terminate] log [no | yes] }
local-forward-action { control [allow | disallow | terminate] log [no | yes] }
remote-forward-action { control [allow | disallow | terminate] log [no | yes] }
x11-forward-action { control [allow | disallow | terminate] log [no | yes] }
agent-action { control [allow | disallow | terminate] log [no | yes] }
other-action { control [allow | disallow | terminate] log [no | yes] }
}
}
description [string]
identity-users [add | delete | replace-all-with] {
[identity user list names...]
}
identity-groups [add | delete | replace-all-with] {
[identity group list names...]
}
}
}
rules none
actions [add | delete | modify] {
[ [name] ] {
options:
shell-action { control [allow | disallow | terminate] log [no | yes] }
sub-system-action { control [allow | disallow | terminate] log [no | yes] }
sftp-up-action { control [allow | disallow | terminate] log [no | yes] }
sftp-down-action { control [allow | disallow | terminate] log [no | yes] }
scp-up-action { control [allow | disallow | terminate] log [no | yes] }
scp-down-action { control [allow | disallow | terminate] log [no | yes] }
rexec-action { control [allow | disallow | terminate] log [no | yes] }
local-forward-action { control [allow | disallow | terminate] log [no | yes] }
remote-forward-action { control [allow | disallow | terminate] log [no | yes] }
x11-forward-action { control [allow | disallow | terminate] log [no | yes] }
agent-action { control [allow | disallow | terminate] log [no | yes] }
other-action { control [allow | disallow | terminate] log [no | yes] }
}
}
auth-info [add | delete | modify] {
[ [name] ] {
options:
proxy-server-auth {
private-key [string]
public-key [string]
}
proxy-client-auth {
private-key [string]
public-key [string]
}
real-server-auth {
public-key [string]
}
}
}
timeout [integer]
edit profile
options:
all-properties
non-default-properties
DISPLAY
list profile
show running-config profile
options:
all-properties
non-default-properties
one-line
DESCRIPTION
You can use the profile component to configure a shareable and reusable
set of ssh profile rules.
EXAMPLES
create profile profile1 auth-info add {
auth1 {
proxy-server-auth {
private-key "abcd"
public-key "1234"
}
proxy-client-auth {
private-key "efgh"
public-key "5678"
}
} }
Creates a ssh profile with auth-info of client facing auth and server
facing auth.
modify profile profile1 actions add {
action1 {
sftp-up-action {
control disallow log yes
}
shell-action {
control terminate log yes
}
} }
Modify existing profile by adding default actions of shell action and
sftp action.
modify profile profile1 rules add {
rule1 {
actions add {
action1 {
sftp-up-action {
control disallow log yes
}
shell-action {
control terminate log yes
}
}
}
identity-groups add {
"grp1" "grp2"
}
identity-users add {
"usr1" "usr2"
}
description "rule1 and action1"
} }
Modify existing profile by adding rule1 to it with command actions and
user and group identity info.
list profile
Displays the current list of profile rules.
OPTIONS
description
User defined profile description.
timeout
User defined timeout value.
rules
Adds, deletes, or replaces a profile rule.
description
User defined rule description.
actions
Specifies the rule actions that the system takes when a
profile is applied.
shell-action
Specifies the rule shell action info.
sub-system-action
Specifies the rule sub system info.
sftp-up-action
Specifies the rule sftp up action info.
sftp-down-action
Specifies the rule sftp up action info.
scp-up-action
Specifies the rule scp up action info.
scp-down-action
Specifies the rule scp up action info.
rexec-action
Specifies the rule rexec action info.
local-forward-action
Specifies the rule local forward action info.
remote-forward-action
Specifies the rule local forward action info.
x11-forward-action
Specifies the rule x11 forward action info.
agent-action
Specifies the rule agent action info.
other-action
Specifies the rule other action info.
identity-users
Specifies the rule users identity.
identity-groups
Specifies the rule groups identity.
actions
Specifies the profile default actions that the system takes when a
profile is applied.
shell-action
Specifies the rule shell action info.
sub-system-action
Specifies the rule sub system info.
sftp-up-action
Specifies the rule sftp up action info.
sftp-down-action
Specifies the rule sftp up action info.
scp-up-action
Specifies the rule scp up action info.
scp-down-action
Specifies the rule scp up action info.
rexec-action
Specifies the rule rexec action info.
local-forward-action
Specifies the rule local forward action info.
remote-forward-action
Specifies the rule local forward action info.
x11-forward-action
Specifies the rule x11 forward action info.
agent-action
Specifies the rule agent action info.
other-action
Specifies the rule other action info.
auth-info
Specifies the authentication info of public key and private key
for this profile.
proxy-server-auth
Specifies a set of private/public keys that can be used to
authenticate proxy (BigIP) host server to the real clients
during the initial key exchange of the SSH session between
real clients and BigIP acting as a proxy server. A SSH
Profile MUST have at least 1 set of private/public key
configured for proxy server authentication.
private-key
Specifies the private key of the authentication
algorithm (RSA, DSS etc) used for the proxy server
authentication.
public-key
Specifies the public key of the authentication algorithm
(RSA, DSS etc) used for the proxy server authentication.
proxy-client-auth
Specifies a set of private/public keys that can be used to
support 'publicKey' based client authentication as defined in
RFC 4252 (The Secure Shell (SSH) Authentication Protocol).
Note that this is optional in a SSH profile and is only
required to support 'publicKey' based client authentication
(as defined in section 7 of the above mentioned RFC).
private-key
Specifies the private key of the authentication
algorithm (RSA, DSS etc) used for the proxy client
authentication.
public-key
Specifies the public key of the authentication algorithm
(RSA, DSS etc) used for the proxy client authentication.
real-server-auth
Specifies public key that can be used to authenticate real
host server to the proxy (BigIP) client during the initial
key exchange of the SSH session between BigIP acting as a
proxy client and a real ssh (backend) server. If user does
not configure any public key for the real server
authentication in a SSH profile, all (backend) real servers
are always trusted.
public-key
Specifies the public key of the authentication algorithm
(RSA, DSS etc) used for the real server authentication.
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2016. All rights
reserved.
POD ERRORS
Hey! The above document had some coding errors, which are explained
below:
Around line 360:
You forgot a '=back' before '=head1'
BIG-IP 2016-03-14 security ssh profile(1)