_______ ____ ____ __ __ ____ __ ______ ______ /_ __// __// __// /_/ // _ / / / / __ // ____/ / / / __// /_ / __ // _ < / /_ / /_/ // /_ / /_/ /___//___//_/ /_//____//___//_____//_____/ techblog.koponen.se [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ links ] [ about ] -------------------------------------------------------------------------
techblog.koponen.se [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ about ] [ links ] -------------------------------------
HOWTO
NETWORK
NOTES ON USING UBIQUITI EDGESWITCH
Published: 20190826
Hardware: Ubiquiti EdgeSwitch Lite 24
Firmware: v1.8.2
And: OpenBSD 6.5 amd64 (in VMware)
These are just my notes from installing an Ubiquiti EdgeSwitch Lite 24.
The switch listens on these ports:
$ nmap -p 0-65535 <ipv4_address>
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-23 11:07 CEST
Nmap scan report for 10.0.1.152
Host is up (0.0078s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
10001/tcp open scp-config
Nmap done: 1 IP address (1 host up) scanned in 77.41 seconds
$
If you try to reach the switch via http (80/tcp) you'll get a 301 redirect to https (443/tcp)
The switch can also be reached via console: 115200 8N1
Baud rate: 115200
Data bits: 8
Parity: NONE
Stop bits: 1
Flow control: NONE
Default account is:
username: ubnt
password: ubnt
Enable account:
command: enable
password: ubnt
Create your own key and crt, cat them together into a called server.pem
Also, the cert (for some reason I haven't figured out yet) need to have the IPv4-address as the hostname in CN
Copy your CA.crt and name the file root.pem
Put your 2 PEM-files on a tftp server
Here's a quick tip on how to make a TFTP server:
Assuming your TFTP server has IPv4 address "192.0.2.2", in CLI type:
(UBNT EdgeSwitch) #hostname myhostname
(myhostname) #no ip http secure-server
(myhostname) #copy tftp://192.0.2.2/server.pem nvram:sslpem-server
Mode........................................... TFTP
Set Server IP.................................. 192.0.2.2
Path........................................... ./
Filename....................................... server.pem
Data Type...................................... SSL Server cert
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration o.
Host key file transfer operation completed successfully.
(myhostname) #copy tftp://192.0.2.2/root.pem nvram:sslpem-root
Mode........................................... TFTP
Set Server IP.................................. 192.0.2.2
Path........................................... ./
Filename....................................... root.pem
Data Type...................................... SSL Root cert
Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y
File transfer in progress. Management access will be blocked for the duration o.
Host key file transfer operation completed successfully.
(myhostname) #ip http secure-server
(myhostname) #
Since there doesn't seem to be any way to make or verify the SSH hostkeys...
Create your own key pair (on a Linux machine, not on the switch):
$ ssh-keygen -t rsa -b 4096 -C '' -N '' -f sshkey-rsa2
Generating public/private rsa key pair.
Your identification has been saved in sshkey-rsa2.
Your public key has been saved in sshkey-rsa2.pub.
The key fingerprint is:
SHA256:xxxxxxxxxxx
The key's randomart image is:
+---[RSA 4096]----+
| |
| |
| |
| |
| |
| |
| |
| |
| |
+----[SHA256]-----+
$
Convert the keys into PEM-file format:
$ ssh-keygen -f sshkey-rsa2.pub -e -m pem > sshkey-rsa2.pub.pem
$ cat sshkey-rsa2 sshkey-rsa2.pub.pem > sshkey-rsa2.pem
The key can be uploaded by:
Update the RSA key
Update the DSA key (since it can't be disabled, sigh)
You can now SSH into the switch
Also, CHANGE THE PASSWORD!