SSH - BlueCat Integrity - 9.3.0

Address Manager API Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0
With SSH enabled, you can use an SSH client to access the DNS/DHCP Server Administration Console via the physical IPv4 address of the DNS/DHCP Server.
Attention: This service cannot be configured on DNS/DHCP Servers operating in an xHA pair.
Note: SSH upgraded to include AES encryption

Address Manager and DNS/DHCP Server have been updated to include only AES ciphers, in accordance with FIPS 140-2 certification requirements, to ensure that communications using SSH are secure. As a result, customers using older SSH clients may need to upgrade to an SSH Client that supports AES encryption.

Example

{
    "version": "1.0.0",
    "services": {
        "ssh": {
            "configurations": [
                {
                    "sshConfiguration": {
                        "enable": true,
                        "tacacs": {
                            "enable": false
                        }
                    }
                }
            ]
        }
    }
}
Parameters
  • enable—set to true to enable SSH; set to false to disable SSH.
    Attention: If you disable SSH, you must disable SSH after you have configured any additional DNS/DHCP Server services. You must not disable SSH before configuring other services.

Configuring TACACS+ authentication

You can configure TACACS+ authentication to allow users to authenticate against external TACACS+ servers to log in to the DNS/DHCP Server.
Attention:
  • Before you begin, BlueCat strongly recommends creating a "Break Glass" account to ensure that the server can be accessed in case of accidental configuration.
  • You must have an operating TACACS+ server in order to proceed with configuring TACACS+ authentication.
Example
{
    "version": "1.0.0",
    "services": {
        "ssh": {
            "configurations": [
                {
                    "sshConfiguration": {
                        "enable": true,
                        "tacacs": {
                            "enable": true,
                            "server": "tacacs.example.com",
                            "secret": "$1$DW1d$4XwHkGHQmBpp2w7G4skS9.",
                            "users": [
                                {
                                    "name": "User1",
                                    "memberOf": "TACACSGroup1",
                                    "executables": ["/usr/bin/tail", "/usr/local/bin/rndc", "/bin/cat"]
                                }
                            ],
                            "groups": [
                                {
                                    "name": "TACACSGroup1",
                                    "executables": ["/sbin/ifup", "/sbin/ifdown"]
                                }
                            ]
                        }
                    }
                }
            ]
        }
    }
}
Parameters
  • tacacs—enter the configuration information for TACACS+ authentication.
    • enable—set to true to enable TACACS+ authentication; set to false to disable TACACS+ authentication.
    • server—set the hostname of the TACACS+ server that will be used for authentication.
    • secret—enter the shared secret used to encrypt and decrypt packets between the client and the server.
    • users—enter the configuration information for TACACS+ users.
      • name—enter the name of the TACACS+ user.
      • memberOf—enter the name of the TACACS+ group that the user is a member of.
      • executables—enter the path to the commands that are granted to the TACACS+ user.
        Note: This field cannot be empty or contain an empty ("") value.
    • groups—enter the configuration information for TACACS+ groups.
      • name—enter the name of the TACACS+ group.
      • executables—enter the path to the commands that are granted to TACACS+ group.
        Note: This field cannot be empty or contain an empty ("") value.