ssh keys for NX-OS to access SFTP

Enabling contained, passwordless sftp from NX-OS switches to a Linux server

Note: This post is barely note-to-self grade documentation. Pulled together long after originally implemented, it may be missing necessary commands or information. Hopefully this is enough to be able to reproduce the concepts if ever useful elsewhere, but not likely to work as-is without experimentation, research, and validation.

Goal

Allow switches to push (e.g. config backups, à la tftp, but with connection security) and pull (e.g. OS image files) to and from a linux server.

Notable characteristics of this solution

  • Makes use of standard linux ugo permission heirarchy
  • Switches use ssh public key authentication for sftp connnections
  • Ssh daemon configuration and linux group membership allows switches to:
    • Read and write from a common directory
    • Have all their public keys in a single file on the server
      • not each switch with its own ~/.ssh/authorized_keys
        • Which in turn means no need for unique home directories
    • Only have sftp access on connecting via ssh
    • Have sftp access contained to a specific folder with chroot
  • SSH keys are only valid from predetermined ip addresses, further reducing risk in case of compromise
  • SELinux was not in play here. SELinux may require additional attention to reproduce this on Enterprise Linux servers
  • There is probably room for improvement

Nexus config

Generate rsa keypair for default admin user

username admin keypair generate rsa 2048


Collect public key for admin user

show username admin keypair | include ssh-rsa

Reference

Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 7.x #Configuration Example for SSH  

There were a number of great blogs that I pulled bits from to arrive at this solution (especially around the ssh configuration), and I wish I had those links at hand to give them the due credit.

Sftp server config

mkdir /sftp
chown root:root /sftp
chmod 701 /sftp
mkdir /sftp/nexus
addgroup networkdevices
adduser --disabled-password --ingroup networkdevices --home /nexus --no-create-home --gecos nexus1 –shell '' nexus1
chown root:networkdevices /sftp/nexus
chmod 570 /sftp/nexus
sudo -u nexus1 touch /sftp/nexus/nexus1-confg
chmod 600 /sftp/nexus/nexus1-confg
 

/etc/ssh/sshd_config
Subsystem sftp /usr/lib/openssh/sftp-server

# Added
LogLevel VERBOSE
Match Group networkdevices
        PasswordAuthentication no
        AuthorizedKeysFile /etc/ssh/sshd_config.keys/networkdevices
        ForceCommand internal-sftp
        ChrootDirectory /sftp

/etc/ssh/sshd_config.keys/networkdevices
# nexus1, assuming 192.0.2.0/24 is our oob management network
from="192.0.2.1" ssh-rsa AAAAB…
# nexus2
from="192.0.2.2" ssh-rsa AAAAB…
# nexus3, assuming nexus3 uses both oob and inband 198.51.100.0/24
from="192.0.2.3,198.51.100.1" ssh-rsa AAAAB…

 

Comments

Post a Comment

Popular posts from this blog

On starting a blog

On Starting a Blog Why a blog? For practice writing. In particular, to practice releasing written communication that I do not feel is perfect—or fully right, maybe even sometimes good enough. Also, as a place to put long-form ideas—stuff that is too long, or obscure, for social media platforms. Expectations Target audience Me. Mostly. If I write something up, and think it would be useful to someone, I might share a link to that article with that person. And anyone else that finds their way to it and (hopefully) finds something useful. Content Varied. I may get to writing up some thoughts on God, and what Jesus has done for me. I might write about World Vision, and the incredible work God is doing through them—community development; WAter Sanitation and Hygiene; humanitarian crisis response. Maybe some thoughts on/from foster care (if I can suitably anonymize them). Definitely tech stuff Project or task writeups “Bookmarks” with notes-to-self Links to stuff I am working on or with Long ...
Read more

Grow LVM Thin Volume

It seems growing an lvm volume group (vg) with thin provisioned volumes using conventional lvm tools can be dangerous, as the metadata pool is sized independantly of the thin pool. If you run out of metadata pool space, things go sideways in a hurry. References: [Stack Overflow] LVM Thinpool - How to resize a thinpool LV? tl;dr: Milan Kerslager brings the warning re vgresize in a comment, and links to: [Proxmox Forums] Resize LVM Thin Pool tl;dr: OP presents horror story; Proxmox staff suggests resizing the metadata pool proportionally to thin pool growth, and links to: [Proxmox docs] LVM2: Resize metadata pool tl;dr: lvresize --poolmetadatasize +<size[M,G]> <VG>/<LVThin_pool> to resize the metadata, which is required when extending a thin pool. It also contains this formula for metadata size: PoolSize/ChunkSize * 64b = MetadataPoolSize among other good-to-know information about lvm and lvmthin, including a warning that overprovisioned lvmthin does not warn when ...
Read more