SSH - BlueCat Integrity - 9.6.0

VM Installation Guide

Locale
English
Product name
BlueCat Integrity
Version
9.6.0
With SSH enabled, you can use an SSH client to access the DNS/DHCP Server Administration Console via the physical IPv4 address of the DNS/DHCP Server.
Note: SSH upgraded to include AES encryption

Address Manager and DNS/DHCP Server have been updated to include only AES ciphers, in accordance with FIPS 140-2 certification requirements, to ensure that communications using SSH are secure. As a result, customers using older SSH clients may need to upgrade to an SSH Client that supports AES encryption.

Example

#cloud-config
bluecat_service_config:
    payload: |
        {
            "version": "1.0.0",
            "services": {
                "ssh": {
                    "configurations": [
                        {
                            "sshConfiguration": {
                                "enable": true,
                                "tacacs": {
                                    "enable": false
                                }
                            }
                        }
                    ]
                }
            }
        }
Parameters
  • enable—set to true to enable SSH; set to false to disable SSH.

Configuring TACACS+ authentication

You can configure TACACS+ authentication to allow users to authenticate against external TACACS+ servers to log in to the DNS/DHCP Server.
Attention:
  • Before you begin, BlueCat strongly recommends creating a "Break Glass" account to ensure that the server can be access in case of accidental configuration.
  • You must have an operating TACACS+ server in order to proceed with configuring TACACS+ authentication.
Example
#cloud-config
bluecat_service_config:
    payload: |
        {
            "version": "1.0.0",
            "services": {
                "ssh": {
                    "configurations": [
                        {
                            "sshConfiguration": {
                                "enable": true,
                                "tacacs": {
                                    "enable": true,
                                    "server": "tacacs.example.com",
                                    "secret": $1$DW1v$4XwJkGHQmBpp2w7G4skS9.
                                    "users": [
                                        {
                                            "name": "User1",
                                            "memberOf": "TACACSGroup1",
                                            "executables": ["/usr/bin/tail", "/usr/local/bin/rndc", "/bin/cat"]
                                        }
                                    ],
                                    "groups": [
                                        {
                                            "name": "TACACSGroup1",
                                            "executables": ["/sbin/ifup", "/sbin/ifdown"]
                                        }
                                    ]
                                }
                            }
                        }
                    ]
                }
            }
        }
Parameters
  • tacacs—enter the configuration information for TACACS+ authentication.
    • enable—set to true to enable TACACS+ authentication; set to false to disable TACACS+ authentication.
    • server—set the hostname of the TACACS+ server that will be used for authentication.
    • secret—enter the shared secret used to encrypt and decrypt packets between the client and the server.
    • users—enter the configuration information for TACACS+ users.
      • name—enter the name of the TACACS+ user.
      • memberOf—enter the name of the TACACS+ group that the user is a member of.
      • executables—enter the path to the commands that are granted to the TACACS+ user.
    • groups—enter the configuration information for TACACS+ groups.
      • name—enter the name of the TACACS+ group.
      • executables—enter the path to the commands that are granted to TACACS+ group.