With SSH enabled, you can use an SSH client to access the DNS/DHCP Server
Administration Console via the physical IPv4 address of the DNS/DHCP Server.
Note: SSH upgraded
to include AES encryption
Address Manager and DNS/DHCP Server have been updated to include only AES ciphers, in accordance with FIPS 140-2 certification requirements, to ensure that communications using SSH are secure. As a result, customers using older SSH clients may need to upgrade to an SSH Client that supports AES encryption.
Example
#cloud-config
bluecat_service_config:
payload: |
{
"version": "1.0.0",
"services": {
"ssh": {
"configurations": [
{
"sshConfiguration": {
"enable": true,
"tacacs": {
"enable": false
}
}
}
]
}
}
}
Parameters
enable
—set to true to enable SSH; set to false to disable SSH.
Configuring TACACS+ authentication
You can configure TACACS+ authentication to allow users to authenticate against
external TACACS+ servers to log in to the DNS/DHCP Server.
Attention:
- Before you begin, BlueCat strongly recommends creating a "Break Glass" account to ensure that the server can be access in case of accidental configuration.
- You must have an operating TACACS+ server in order to proceed with configuring TACACS+ authentication.
Example
#cloud-config
bluecat_service_config:
payload: |
{
"version": "1.0.0",
"services": {
"ssh": {
"configurations": [
{
"sshConfiguration": {
"enable": true,
"tacacs": {
"enable": true,
"server": "tacacs.example.com",
"secret": $1$DW1v$4XwJkGHQmBpp2w7G4skS9.
"users": [
{
"name": "User1",
"memberOf": "TACACSGroup1",
"executables": ["/usr/bin/tail", "/usr/local/bin/rndc", "/bin/cat"]
}
],
"groups": [
{
"name": "TACACSGroup1",
"executables": ["/sbin/ifup", "/sbin/ifdown"]
}
]
}
}
}
]
}
}
}
Parameters
tacacs
—enter the configuration information for TACACS+ authentication.enable
—set to true to enable TACACS+ authentication; set to false to disable TACACS+ authentication.server
—set the hostname of the TACACS+ server that will be used for authentication.secret
—enter the shared secret used to encrypt and decrypt packets between the client and the server.users
—enter the configuration information for TACACS+ users.name
—enter the name of the TACACS+ user.memberOf
—enter the name of the TACACS+ group that the user is a member of.executables
—enter the path to the commands that are granted to the TACACS+ user.
groups
—enter the configuration information for TACACS+ groups.name
—enter the name of the TACACS+ group.executables
—enter the path to the commands that are granted to TACACS+ group.