Juniper/Cisco互操作: 配置JUNOS/IOS SSH2互访

继续之前关于配置Juniper JUNOS路由器与Cisco IOS路由器之间远程互访登录的话题。无论是Juniper的JUNOS设备,还是Cisco的IOS设备,两者都可以同时充当Secure Shell (SSH)客户端与服务器端,这为我们实现两者的互联互访测试提供契机。我们将通过最简单的配置,实现JUNOS与IOS之间的SSHv2互访。注意,SSHv1与SSHv2实际上有很大的差别。作为用户而言,单纯笼统的就安全性而言话,SSHv2要大大高于SSHv1,而SSHv1仅仅比起telnet又要稍微好一点。由于Cisco IOS自12.0S开始支持SSHv1,而直到12.3T支持SSH2协议,所以我们的接下来便基于SSH2进行讨论。而至于具体区别在哪里?我估计你也不会有多大兴趣去了解,尽管用就是了。

SSH protocol in Cisco IOS release trains:

  • IOS 12.0S (SSH version 1)
  • IOS 12.1T (SSH version 1)
  • IOS 12.2 (SSH version 1)
  • IOS 12.2T (SSH version 1)
  • IOS 12.3T (SSH version 2)

Juniper JUNOS启用SSH2

那我们从最直观的在Juniper JUNOS上启用SSH2配置开始,在JUNOS上启用SSH2的基本配置非常简便。由于之前我们已经在JUNOS上加入用户名/密码分别为ciscoios123的本地帐号。只需要在[edit system services]层次下启用SSH服务,并且指定使用SSHv2就可以了。可以看到我们同时打开了JUNOS上的telnet与SSH2服务。假如有必要,建议你将telnet服务关闭,同时我们拒绝使用root用户帐号通过SSH登录到Juniper路由器上。

[edit]
nigel@junos# show system services
ssh {
    root-login deny;
    protocol-version v2;
}
telnet;

Cisco IOS路由器使用SSH2登录Juniper JUNOS

r4-ios#conf t
r4-ios(config)#no service timestamps
r4-ios(config)#line con 0
r4-ios(config-line)#logging synchronous
r4-ios(config-line)#end
r4-ios#debug ip ssh
Incoming SSH debugging is on

打开debug信息后,我们使用之前配置的用户名cisco,在IOS上通过SSH2登录到之前配置了静态主机名映射的Juniper JUNOS路由器juniper-junos上。

r4-ios#ssh -l cisco juniper-junos

Password:
SSH CLIENT0: protocol version id is - SSH-2.0-OpenSSH_3.8
SSH CLIENT0: sent protocol version id SSH-1.99-Cisco-1.25
SSH2 CLIENT 0: send: len 280 (includes padlen 4)
SSH2 CLIENT 0: SSH2_MSG_KEXINIT sent
SSH2 CLIENT 0: ssh_receive: 608 bytes received
SSH2 CLIENT 0: input: packet len 608
SSH2 CLIENT 0: partial packet 8, need 600, maclen 0
SSH2 CLIENT 0: input: padlen 7
SSH2 CLIENT 0: received packet type 20
SSH2 CLIENT 0: SSH2_MSG_KEXINIT received
......
<!--output omitted-->

--- JUNOS 7.2R4.2 built 2006-02-14 07:33:49 UTC
cisco@junos>

cisco@junos> show system connections | match 22
tcp4  0 156  10.0.4.10.22   10.0.4.9.60935  ESTABLISHED
tcp4  0   0  *.22           *.*             LISTEN
tcp4  0   0  *.6222         *.*             LISTEN

Cisco IOS启用SSH2

Cisco IOS上配置SSH实际上也不是很复杂。只是有几个地方需要注意。

1. 保证你配置了Cisco IOS路由器的主机名。

r4-ios(config)#host r4-ios

2. 使用ip domain-name命令配置路由器本地域名。

r4-ios(config)#ip domain-name itaalab.com

3. 关键的一点在于产生RSA公共密钥的时候,密钥长度不能使用默认的512 bits,而至少需要768 bits,否则SSH客户端无法使用SSH连接登录到Cisco IOS路由器上。我在这里先故意使用默认的512 bits长度。

r4-ios(config)#crypto key generate rsa
The name for the keys will be: r4-ios.itaalab.com
Choose the size of the key modulus in the range of 360
to 2048 for your
  General Purpose Keys. Choosing a key modulus greater
  than 512 may take a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable
...[OK]

r4-ios(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

4. 指定Cisco IOS启用SSHv2

r4-ios(config)#ip ssh version 2

5. 在Cisco IOS上,为将要从Juniper JUNOS路由器使用SSH2登录的用户创建一个与Juniper JUNOS上相同的本地用户帐号,密码在Cisco IOS本地定义,可以不匹配。

r4-ios(config)#user nigel password test

r4-ios#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs;
Authentication retries: 3

6. 一旦启用SSH,可选的配置便是将安全性能较低的telnet服务端口关闭,只允许使用SSH协议远程登录到Cisco IOS路由器上。

r4-ios(config)#line vty 0 4
r4-ios(config-line)#transport input ssh

nigel@junos> telnet cisco-ios logical-router r2
Trying 10.0.4.9...
telnet: connect to address 10.0.4.9: Connection refused
telnet: Unable to connect to remote host

Juniper JUNOS路由器使用SSH2登录Cisco IOS

当我们试图在JUNOS上通过SSH2登录到之前配置了静态主机名映射的Cisco IOS路由器cisco-ios上的时候,由于我们刚刚在Cisco IOS上所生成的RSA公共密钥长度少于768 bits。JUNOS在对RSA进行校验时失败,此时我们无法使用SSH2登录到Cisco IOS路由器上面。

nigel@junos> ssh v2 cisco-ios logical-router r2
The authenticity of host 'cisco-ios (10.0.4.9)' can't be
established.
RSA key fingerprint is 1b:9a:81:65:3d:85:90:c0:b4:56:67
:89:52:02:89:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cisco-ios,10.0.4.9' (RSA)
to the list of known hosts.
ssh_rsa_verify: RSA modulus too small:
512 < minimum 768 bits
key_verify failed for server_host_key

nigel@junos>

于是,我们需要在Cisco IOS上清除原有的RSA公共密钥,然后重新生成符合768 bits长度的新的SSH2 RSA公共密钥。

r4-ios(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be
removed.
Do you really want to remove these keys? [yes/no]: yes

%SSH-5-DISABLED: SSH 2.0 has been disabled

r4-ios(config)#crypto key generate rsa
The name for the keys will be: r4-ios.itaalab.com
Choose the size of the key modulus in the range of 360
to 2048 for your
  General Purpose Keys. Choosing a key modulus greater
  than 512 may take a few minutes.

How many bits in the modulus [512]: 768
% Generating 768 bit RSA keys, keys will be non-exportable
...[OK]

r4-ios(config)#
%SSH-5-ENABLED: SSH 2.0 has been enable

到这里,这事还没完,由于之前我们已经将错误生成的512 bits长度RSA公钥导入Juniper JUNOS内。此时我们再次通过SSH2从Juniper JUNOS尝试登录到Cisco IOS路由器上的时候,Juniper JUNOS发现当前Cisco IOS所提供的RSA公钥,与保存在JUNOS本地的RSA公钥不匹配。处于安全原因,Juniper JUNOS依然不允许我们登录 …… JUNOS这下立功了,真的喝水也有塞牙时啊。

nigel@junos> ssh v2 cisco-ios logical-router r2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!    @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now
(man-in-the-middle attack)!
It is also possible that the RSA host key has just been
changed.
The fingerprint for the RSA key sent by the remote host
is 29:e8:4b:95:48:2d:7d:37:94:c2:a9:db:00:a2:56:ea.
Please contact your system administrator.
Add correct host key in /var/home/nigel/.ssh/known_hosts
to get rid of this message.
Offending key in /var/home/nigel/.ssh/known_hosts:1
RSA host key for cisco-ios has changed and you have
requested strict checking.
Host key verification failed.

nigel@junos> file show /var/home/nigel/.ssh/known_hosts
cisco-ios,10.0.4.9 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQ
QDmWa/IYF2VLp27213/
OIn3SvWz9d91n7OBt3Z3rfrlRZYcmBP9E5NPs
Oxj7l8X5Pf3M7DPClF3UdoW8UYbAusp

最后删除原来保存在JUNOS上的RSA公钥,然后重新导入新的RSA公钥,终于通过SSH2成功登录到Cisco IOS路由器上。

nigel@junos> file delete /var/home/nigel/.ssh/*

nigel@junos> ssh v2 cisco-ios logical-router r2
The authenticity of host 'cisco-ios (10.0.4.9)' can't be 
established.
RSA key fingerprint is 29:e8:4b:95:48:2d:7d:37:94:c2:a9
:db:00:a2:56:ea.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cisco-ios,10.0.4.9' (RSA) 
to the list of known hosts.
Password: 

r4-ios>
Advertisements

One thought on “Juniper/Cisco互操作: 配置JUNOS/IOS SSH2互访

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s