Modes and user’s configurations

Connect to SoodarOS

There are 3 ways of connecting to router for configuring:

  • Physical connection:

    1. Direct connection( via monitor and keyboard)

    2. Console connection( RS-232)

  • Remote connection:

    1. SSH connection

Remote connection

Using well-known SSH Protocol, enabled router remote access.

Example : Having a management interface with address 192.168.1.1/24:

m@m-pc:~$ ssh admin@192.168.1.1
admin@192.168.1.1's password:

Users

Currently, only one admin user is available, named admin. It is the username that is used with SSH connection.

Modes

  • View mode Admin has access to some show commands to view the router’s state.

  • Enable mode: Admin can’t change the router’s configs. But he can enable debug commands and some more privileged commands than view mode

  • Config mode: Full access to the router.

Passwords

SoodarOS is protected by 3 levels of passwords:

  1. Access password

  2. Enable password

  3. Config password

Access password

It’s the primary password to log in with the user. Without having the access password, a person can’t have any access to the router. An admin with knowing only access password is an admin with just view mode privilege.

password

Change access password

Enable password

Put an admin in enable mode. It is asked when the admin issues the enable command.

enable password PASSWORD

Set enable password

no enable password PASSWORD

Disable enable password.

Config password

Is asked when the admin inputs configure in the command line to enter config mode.

enable config password PASSWORD

Set config password

no enable config password PASSWORD

Disable config password

Reset access password

In case access password is forgotten, connect to soodar via console and enter user password

user password

Reset access password. enabled when connected through physical access.

Password length

To force users to set strong passwords, admin can set a minimum length for passwords.

security passwords min-length

Apply a minimum password length policy to the system. Default of 8 characters is set as passwords’ minimum length.

soodar(config)# security password min-length 8
no security passwords min-length

Remove all restrictions about password length.

Login Failures

Admin can ask for details of failed logins. These details are:

User name: The user who was tried to log in to( currently just admin) Medium: Whether it was through SSH or Console Address: In case of the remote login attempt, IP address of the initiator machine. Else it’s 0.0.0.0. Date: Attempting date

show login failures

Example:

soodar# show login failures
admin   ssh:notty       192.168.1.13    Thu Sep 17 09:18
admin   ssh:notty       192.168.1.13    Thu Sep 17 09:18
admin   ssh:notty       192.168.1.13    Thu Sep 17 09:18

Note

Login logs are stored only for 1 month.

Session Management

SoodarOS’ admin can protect the router from DoS attacks and prevent network exhaustion by limiting the SSH authentication tries in a period and blocking the abuser’s IP. Also, he can see currently established sessions and terminate them.

show users

Show current running sessions. Includes line number, session type( console or SSH), session ID, and IP address of the remote user

clear line (0-530)

Clear a TTY line and make it usable by terminating the session on that line.

Note

Clearing a line causes all sessions with the same session ID as the cleared session to terminate. In a normal situation, each line has its session ID. But if multiple sessions are run on a single SSH connection, they share the same session ID

login block-for TIME attempts ATTEMPT within PERIOD

Set SSH jailing parameters. If someone tries ATTEMPT( a number in 1 to 10 range) unsuccessful login attempts within PERIOD( [30-600]) seconds, his IP address will be limited for next TIME([10-7200]) seconds. Default values are 600 seconds of jail time for 5 attempts in 30 seconds.

show login blocked-ips

Show in jail IPs.

login unblock <A.B.C.D|X:X::X:X|all>

Unblock an IP and release it from jail. Admin can unblock all blocked IPs with all as command input.

MOTD

Sometimes system administrator needs to set a message, so every user attempting to log in can see it. This could be done by setting a MOTD banner.

banner motd line LINE

Set motd string from an input.

no banner motd

No motd banner string will be printed.

SSH

Soodar serves as a client for the SSH and as an SSH server. Therefore, key management options are provided to users.

SSH Server

ip ssh pubkey-chain

Enter SSH server authorized keys management node.

username USER

Enter authorized public key management node for a user. Any SSH connection attempt to the user with an authorized public key is accepted.

key LINE ..

Add a public key to the user’s authorized keys.

no key HASH

Remove a public key from the user’s authorized keys by its hash.

no key (1-65535)

Remove a public key from the user’s authorized keys by its index in the keys list.

show ip ssh pubkey-chain [verbose] [USER]

Show current authorized keys database for USER( if USER is not provided, show database of all users). if verbose option is activated, output complete keys instead of keys’ hashes.

Example:

soodar# show ip ssh pubkey-chain
List is empty
soodar# conf ter
soodar(config)# ip ssh pubkey-chain
soodar(conf-ssh-pubkey)# username admin
soodar(conf-ssh-pubkey-user)# key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChX8nvRsv/nmZE8r+ljuVjiwe8riTt+kmSilS44/Wr+EFWbncx/E39QugQba+0I21/wn17bHbQitMMnXjINUITzqwTnnYQ
ekwSFjBuZKWKe4i0fYoYH2cqySHiecGJHaRD40Jw/6+FTDK4c0PdBIg1Vd3hF8H+bCyberpEzaJKwN2WBV4Pp2QQSU4hcIag0CB/5uk2NbO8/Ewa/cVG3uPURzDWA2RRh5SI320clRyYDkmrcPv6zcZ81tFx1t6F12N0/U12n/XQw+5YEL8HlbGEeQVG+p4eHuOBjP4Ta1Pz75F1Os/bylGQzTGlsrH4tAz7nj011XdAVAJ4ZuQ35KIwh0sVzEKVwZ9ZRFvOH4P0ijL59f/VRD878v7kVrRSKmKyZYUoJH4TBSkGEASGUXGYF+zzTI0RAa3+4j9yFaUMJJ1j1OaMq+FshykuX+3DpBKYQ3of3KWNfLHRCGYao7Eh3QOCxUCN5DuAtYhAd/vzF3DkyanO6LnnbCYkg7SFzWE= temp@test
soodar# show ip ssh pubkey-chain
admin:
   1: W7tjsK1S4C+CfMfjQSQzjiRQHPnHNMhFjbmMyOE02wU temp@test (ssh-rsa)
soodar# show ip ssh pubkey-chain verbose
admin:
   1: AAAAB3NzaC1yc2EAAAADAQABAAABgQChX8nvRsv/nmZE8r+ljuVjiwe8riTt+kmSilS44/Wr+EFWbncx/E39QugQba+0I21/wn17bHbQitMMnXjINUITzqwTnnYQekwSFjBuZKWKe4i0fYoYH2cqySHiecGJHaRD4
0Jw/6+FTDK4c0PdBIg1Vd3hF8H+bCyberpEzaJKwN2WBV4Pp2QQSU4hcIag0CB/5uk2NbO8/Ewa/cVG3uPURzDWA2RRh5SI320clRyYDkmrcPv6zcZ81tFx1t6F12N0/U12n/XQw+5YEL8HlbGEeQVG+p4eHuOBjP4Ta1P
z75F1Os/bylGQzTGlsrH4tAz7nj011XdAVAJ4ZuQ35KIwh0sVzEKVwZ9ZRFvOH4P0ijL59f/VRD878v7kVrRSKmKyZYUoJH4TBSkGEASGUXGYF+zzTI0RAa3+4j9yFaUMJJ1j1OaMq+FshykuX+3DpBKYQ3of3KWNfLHRC
GYao7Eh3QOCxUCN5DuAtYhAd/vzF3DkyanO6LnnbCYkg7SFzWE= temp@test (ssh-rsa)

SSH Client

ip ssh client

Enter SSH client known host management node.

known-host <A.B.C.D|X:X::X:X|HOST>

Add a server’s public key(s) ( provided by its IP or hostname) to the known hosts’ list of current users.

show ip ssh client known-host <A.B.C.D|X:X::X:X|HOST>

Show public keys( if any) of a server stored in the known hosts’ list.

Example:

soodar# show ip ssh client known-host 192.168.30.50
soodar# conf ter
soodar(config)# ip ssh client
soodar(conf-ssh-client)# known-host 192.168.30.50 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwOU2O2nNJGXIN5VT1Q0j7+H9kQQ9FnE0sl9aPQbOg/Sw1ryZyuUmApUFFABL7MDNZTKzWd3BfYsOB
sXOsKOHiGTZCPLbS93tvHAYlkeIcYDR9JJEi4A67nN/zXSoT+Ew78iUADjWH6rQSy4dtg+ScHFAj3Z9P7TQpK8zWJDLgA28d+zyYSwNd/MkF+EPmAH7mPoKkg2EGCpr889pR5mcBiXPVq69yUNFUG7U0D2aqDaGbaXk9TcfqCrktVmjGVF8rY91TaLMJBngVaYYsnT+xdYp8i8nicxbJoYDvvde057soX6mcTLNXI0opUV9K5TPY7Idp6AWCAxhgJ11IN2z+HZGw56xKDVXL0VXNMngxxICqMV5CxhYHraGkyCha1KXnU2rPi8PbYJkJMIlsXZ+hW9oCZs9x6gzvHHdadi3Ox9JZ6KEqLI7OKf8KNd2alZrGUNjlDIlG/jZhWtYdB4W/oFPAWa5YFqDRfu+VJdVnrGqIzr8GWRlPOjAjwOsBcQk= HOST-KEY
soodar# show ip ssh client known-host 192.168.30.50
192.168.30.50 RSA SHA256:bYisVirAvDxXqwbmYIn7IEj6Grdkf6BeTYCJ7LS11s0 HOST-KEY
soodar# ssh test@192.168.30.50
test@192.168.30.50's password:

soodar# show ip ssh client known-host 192.168.30.39
soodar# ssh test@192.168.30.39
The authenticity of host '192.168.30.39 (192.168.30.39)' can't be established.
RSA key fingerprint is SHA256:lJ2gRSCd8Wh0CrcPU8sOlZJdrbff2QrGaJ5zBcZ2S4I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.30.39' (RSA) to the list of known hosts.
test@192.168.30.39's password:
soodar# show ip ssh client known-host 192.168.30.39
192.168.30.39 RSA SHA256:lJ2gRSCd8Wh0CrcPU8sOlZJdrbff2QrGaJ5zBcZ2S4I