Manuals / Black Box / Marine Equipment / Marine Safety Devices

Black Box 1102, 1101 manual , # ssh remhost, Ab7e33bd85505a430be0bd433f1ca5f8

Models: 1101 1102 Secure Device Servers

1 164

Download 164 pages 30.63 Kb

Page 151

Chapter 15: Advanced Configuration

Use WinSCP to copy this "authorized_keys" file into the users home directory: e.g. /etc/config/users/testuser/.ssh/authorized_keys of the Black Box gateway which will be the SSH server. You will need to make sure this file is in the correct format with the correct permissions with the following commands:

# dos2unix \

/etc/config/users/testuser/.ssh/authorized_keys && chown testuser \ /etc/config/users/testuser/.ssh/authorized_keys

Using WinSCP copy the attached sshd_config over /etc/config/sshd_config on the server (Makes sure public key authentication is enabled).

Test the Public Key by logging in as "testuser" to the client Black Box device and typing (you should not need to enter anything): # ssh -o StrictHostKeyChecking=no <server-ip>

To automate connection of the SSH tunnel from the client on every power-up you need to make the clients /etc/config/rc.local look like the following:

#!/bin/sh

ssh -L9001:127.0.0.1:4001 -N -o StrictHostKeyChecking=no testuser@<server-ip> &

This will run the tunnel redirecting local port 9001 to the server port 4001.

Fingerprints are used to ensure you are establishing an SSH session to who you think you are. On the first connection to a remote server you will receive a fingerprint that you can use on future connections.

This fingerprint is related to the host key of the remote server. Fingerprints are stored in ~/.ssh/known_hosts.

To receive the fingerprint from the remote server, log in to the client as the required user (usually root) and establish a connection to the remote host:

# ssh remhost

The authenticity of host 'remhost (192.168.0.1)' can't be established. RSA key fingerprint is 8d:11:e0:7e:8a:6f:ad:f1:94:0f:93:fc:7c:e6:ef:56. Are you sure you want to continue connecting (yes/no)?

At this stage, answer yes to accept the key. You should get the following message:

Warning: Permanently added 'remhost,192.168.0.1' (RSA) to the list of known hosts.

You may be prompted for a password, but there is no need to log in— you have received the fingerprint and can Ctrl-C to cancel the connection. If the host key changes you will receive the following warning, and not be allowed to connect to the remote host:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!@ @ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

ab:7e:33:bd:85:50:5a:43:0b:e0:bd:43:3f:1c:a5:f8.

Please contact your system Administrator.

Add correct host key in /.ssh/known_hosts to get rid of this message.

Offending key in /.ssh/known_hosts:1

RSA host key for remhost has changed and you have requested strict checking.

Host key verification failed.

724-746-5500 blackbox.com

151

Image 151

Black Box 1102 , # ssh remhost, Ab7e33bd85505a430be0bd433f1ca5f8, Offending key in /.ssh/knownhosts1

Contents

1102 Secure Device Servers 1102 Secure Device Servers FCC and IC RFI Statements Normas Oficiales Mexicanas NOM Electrical Safety StatementTrademarks Used in this Manual Table of Contents SMS Alerts Snmp Alerts Local Authentication Tacacs AuthenticationAdd a New Alert 110 106107 108Fingerprinting Installing the Key and CertificatePowerMan Tool Pmpower ToolSpecifications SpecificationsManual Organization Overview 2.1 IntroductionTypes of Users Management Console OverviewHardware Description 2.5.1 LES1101A Front Panel RJ-45 Ethernet Activity Number Component Description DB9 connector2 LES1101A Back Panel Ethernet Connectivity LED3 LES1102A Front Panel Number Component Description Barrel connector PowerLED left side of connector Ethernet Connectivity LED LED right side of connector Ethernet Activity LED1 LES1101A What’s Included2 LES1102A Network Connection InstallationInstallation Power ConnectionNon RS-232 Serial Port Pinouts- LES1102A TX + Non RS-232 Serial Port Pinouts- LES1101A+3V RX+ TX+ +VINConnected PC/Workstation Setup System ConfigurationManagement Console Connection Browser connection System ConfigurationAdministrator Password Network IP Address IPv6 configuration System ServicesSystem Services screen Forwarded to SDT ConnectorSDT connector SSH encrypted Communications SoftwareSSHTerm PuTTYConfigure Serial Ports Serial Port, Host, Device, and User ConfigurationCommon Settings Serial Port, Host, Device, and User ConfigurationConsole Server Mode Serial Port, Host, Device, and User Configuration 1102 Secure Device Servers SDT Mode Terminal Server Mode Device RPC, UPS, EMD ModeSerial Bridging Mode Local Ethernet LAN LES1102A COM port SyslogAdd/ Edit Users Serial Port, Host, Device, and User Configuration Network Hosts AuthenticationSerial Port Redirection Trusted NetworksLES1102A Retail data systems Managed DevicesSerial Port, Host, Device, and User Configuration Secure Local Secure SSH Tunneling and SDT ConnectorLES1102A Serial Connected SDT Connector installation Secure SSH Tunneling and SDT ConnectorConfiguring for SSH Tunneling to Hosts SDT Connector Client Configuration1102 Secure Device Servers Secure SSH Tunneling and SDT Connector Make an SDT Connection through the Gateway to a Host Manually Adding Hosts to the SDT Connector Gateway10. Clients Manually Adding New Services to the New Hosts1102 Secure Device Servers Adding a Client Program to be Started for the New Service 16. Telnet client Click OK 17. Edit SDT host screen SDT Connector to Management Console1102 Secure Device Servers Secure SSH Tunneling and SDT Connector Importing and Exporting Preferences SDT Connector Public Key AuthenticationSetting up SDT for Remote Desktop Access 23. Remote Desktop Users dialog box Configure the Remote Desktop Connection ClientComputer, enter the appropriate IP Address and Port Number Use -p to receive password promptGeometry width x height or 70% screen percentage SDT SSH Tunnel for VNC For Linux servers and clients Install, Configure, and Connect the VNC Viewer 30. VNC authentication 1102 Secure Device Servers 33. Incoming TCP/IP properties Set up SDT Serial Ports on Console Server Address of port01. Then select the RDP Service check box SSH Tunneling Using other SSH Clients for example, PuTTY1102 Secure Device Servers Secure SSH Tunneling and SDT Connector 1102 Secure Device Servers Email Alerts Configure SMTP/SMS/SNMP/Nagios Alert ServiceAlerts and Logging Alerts and LoggingSnmp Alerts SMS AlertsSelect Alerts & Logging Snmp Activate Alert Events and Notifications Nagios AlertsAdd a New Alert Configuring General Alert TypesSerial port signal alert This alert type monitors UPSes, RPCs, and power devices Configuring Power Alert TypeSerial Port Logging Remote Log StorageNetwork TCP or UDP Port Logging 1102 Secure Device Servers RPC Connection Power ManagementPower Management Remote Power Control RPC1102 Secure Device Servers User Power Management RPC Access Privileges and AlertsRPC Status Uninterruptible Power Supply Control UPSTurn on Turn OFF Cycle Status Serial, USB, or Network Connections Managed Managed UPS ConnectionsClick Add Managed UPS As Device Type UPS and clicking ApplyPower Management Remote UPS Management UPS Alerts Controlling UPS Powered ComputersUPS Status 12. Log table Overview of Network UPS Tools NUTRefer to 1102 Secure Device Servers Tacacs Authentication AuthenticationAuthentication Configuration Local AuthenticationEnter the Server Password Radius AuthenticationRADIUS/TACACS User Configuration Ldap AuthenticationRadius Example PAM Pluggable Authentication ModulesPamtacplus PamldapSSL certificates screen SSL CertificateOrganizational Unit Challenge PasswordConfirm Challenge Password Common nameUpload button Nagios Integration LES1102A Network Managed hosts ServicesNagios Overview Nagios Integration Central Management and Setting Up SDT for NagiosDistributed console servers Black Box console servers Setup Distributed Console Servers Setup Central Nagios ServerDescription enter Administrator connection Enable Nagios on the Console Server Configuring Nagios Distributed MonitoringSelect Users & Groups from the Serial & Network menu Tunneled SSH LES1102A Sendncsa Program/script Nagios Enable Nrpe MonitoringEnable Nsca Monitoring LES1102A Serial Check NagiosConfigure Selected Network Hosts for Nagios Monitoring Configure Selected Serial Ports for Nagios MonitoringConfigure the Upstream Nagios Monitoring Host Hostname Server Use Generic-service Commandname checknrpedaemon CommandlineCommandname checkserialstatus Commandline Define serviceCheckportlog Define service Servicedescription port-log-serverServer Use Generic-service Activechecksenabled PassivechecksenabledNumber of Supported Devices Basic Nagios Plug-InsDistributed Monitoring Usage Scenarios Using Nagios in a local office Remote siteRemote site with restrictive firewall System Management System Administration and ResetSystem Management Upgrade FirmwareConfiguration Backup Configure Date and Time109 Statistics Port Access and Active UsersSelect the Status Port Access Status ReportsSupport Reports Status ReportsSelect Status Syslog DashboardConfigure dashboard screen Configuring the DashboardEcho table Creating Custom Widgets for the DashboardPort and Host Logs ManagementManagement Device ManagementSelect Manage Terminal Serial Port Terminal ConnectionSelect Manage Power Accessing config from the Command Line Configuration from the Command Line# config -g config Configuration from the Command LineConfig tool # config -g config.users.user1.descriptionSerial Port Configuration SDT mode Device ModeAdding and Removing Users Terminal server modeSerial bridge mode Syslog settings# config -r users # ./delete-node config.users.user2# rmuser Group7 # config -g config.groups.total# config -a Adding and Removing User Groups# config -s config.sdt.hosts.total=4 List of remote authentiction and authorization servers# config -r auth # config -g config.sdt.hosts.total# config -g config.portaccess.total Log level for services# config -g config.devices.total # config -hostsUPS Connections # config -s config.cascade.slaves.total=1# config -r cascade Cascaded PortsRemote UPSes # config -s config.ups.monitors.total=1# config -d config.ups.monitors.monitor1 RPC ConnectionsTo delete the above managed device # config -d config.devices.device8To configure serial/network port logging Port LogConnection Alert General settings for all alertsSignal Alert AlertsSmtp and SMS UPS Power Status AlertPower Sensor Alert # config -r alertsIP Settings AdministrationSnmp Date and Time Settings # config -r time ServicesDhcp Server Nagios Enable SDT for Nagios ext Enabled SDT gateway addressPrefer Nrpe over Nsca Disabled defaults to Disabled To configure Nrpe with following settings Nrpe port ! Advanced ConfigurationBin/sh /etc/scripts/alert-email $suffix # ./delete-node config.users.user3Echo Warning $TOTALNODE greater than number of items NEWTOTAL=$ $TOTALAdd the following line to rc.local # loop indefinitely While true do # /etc/scripts/backup-usb check-magic # configEtc/config/scripts/config-post Usage /etc/scripts/backup-usb Command File Etc/config/pmshell-start.sh #!/bin/sh PORT=$1 USER=$2 To set the Community field Snmp version 1 and 2c only Config --set config.system.snmp.address2=w.x.y.zConfig --set config.system.snmp.trapport2=162 To set the Manager Address field$&$ $& ! $&% ! $ mkdir keys $ ssh-keygen -t rsa Chown fred /etc/config/users/fred/.ssh/authorizedkeys#$! #$ Http//openssh.org/portable.html Http//www openbsd.org/cgi-bin/man.cgi?query=sshd ! OpenSSH Windows http//sshwindows.sourceforge.net/download Offending key in /.ssh/knownhosts1 # ssh remhost Ab7e33bd85505a430be0bd433f1ca5f8Client Keys Uploading Keys Authorized Keys!! +- ! !$ % #% #$! #$ #% Target SpecificationPowerstrip Powerstrip IdName or ID of the device support/id Username PpasswordPport Targetaddress# #%&GNU Bourne-Again Shell Appendix a Linux Commands and Source CodeAppendix A. Linux Commands and Source Code Add a group or add an user to a group Add an userIptables-save LoginReboot Ip6tablesSmbmount VconfigSleep Smbmnt164