Configuring SSH and Console Connection
Configuring a System Login Message and Announcement
A system login message appears before the user logs in and a system login announcement appears after the user logs in. By default, no login message or announcement is displayed on the device.
To configure a system login message through console or management interface, use the following command:
To configure system announcement, use the following command:
If the message text contains any spaces, enclose it in quotation marks.
You can format the message using the following special characters:
\'—Single quotation mark
\"—Double quotation mark
Configuring SSH on the Evaluated Configuration
SSH through remote management interface is allowed in the evaluated configuration. If the existing SSH connection is broken unintentionally, for example due to reboot, re-initiate the connection after the device is up. There is no mechanism to retain an existing or established connection, which is broken. This topic describes how to configure SSH for remote management of TOE. The following algorithms need to be configured to validate SSH for NDcPP.
To configure SSH on the TOE:
- Specify the permissible SSH host-key algorithms for the
system services.security-administrator@host:fips# set system services ssh hostkey-algorithm ssh-ecdsasecurity-administrator@host:fips# set system services ssh hostkey-algorithm no-ssh-dsssecurity-administrator@host:fips# set system services ssh hostkey-algorithm ssh-rsa
- Specify the SSH key-exchange for Diffie-Hellman keys for
the system services.security-administrator@host:fips# set system services ssh key-exchange dh-group14-sha1security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp256security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp384security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp521
- Specify all the permissible message authentication code
algorithms for SSHv2security-administrator@host:fips# set system services ssh macs hmac-sha1security-administrator@host:fips# set system services ssh macs hmac-sha2-256security-administrator@host:fips# set system services ssh macs hmac-sha2-512
- Specify the ciphers allowed for protocol version 2.security-administrator@host:fips# set system services ssh ciphers aes128-cbcsecurity-administrator@host:fips# set system services ssh ciphers aes256-cbcsecurity-administrator@host:fips# set system services ssh ciphers aes128-ctrsecurity-administrator@host:fips# set system services ssh ciphers aes256-ctr
Supported SSH hostkey algorithm:
ssh-ecdsa Allow generation of ECDSA host-key ssh-rsa Allow generation of RSA host-key
Supported SSH key-exchange algorithm:
dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Supported MACs algorithm:
hmac-sha1 Hash-based MAC using Secure Hash Algorithm (SHA1) hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
aes128-cbc 128-bit AES with Cipher Block Chaining aes128-ctr 128-bit AES with Counter Mode aes256-cbc 256-bit AES with Cipher Block Chaining aes256-ctr 256-bit AES with Counter Mode
Limiting the Number of User Login Attempts for SSH Sessions
An administrator may login remotely to a device through SSH. Administrator credentials are stored locally on the device. If the remote administrator presents a valid username and password, access to the TOE is granted. If the credentials are invalid, the TOE allows the authentication to be retried after an interval that starts after 1 second and increases exponentially. If the number of authentication attempts exceed the configured maximum, no authentication attempts are accepted for a configured time interval. When the interval expires, authentication attempts are again accepted.
You configure the amount of time the device gets locked after failed attempts. The amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in the tries-before-disconnect statement. When a user fails to correctly login after the number of allowed attempts specified by the tries-before-disconnect statement, the user must wait the configured amount of minutes before attempting to log in to the device again.
The lockout-period must be greater than zero. The range at which you can configure the lockout-period is one through 43,200 minutes.
You can configure the device to limit the number of attempts to enter a password while logging through SSH. Using the following command, the connection.
Here, tries-before-disconnect is the number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default value is 10.
You can also configure a delay, in seconds, before a user can try to enter a password after a failed attempt.
Here, backoff-threshold is the threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range is from 1 through 3, and the default value is 2 seconds.
In addition, the device can be configured to specify the threshold for the number of failed attempts before the user experiences a delay in entering the password again.
Here, backoff-factor is the length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default value is 5 seconds.
You can control user access through SSH. By configuring ssh root-login deny, you can ensure the root account remains active and continues to have local administrative privileges to the TOE even if other remote users are logged off.
The SSH2 protocol provides secure terminal sessions utilizing the secure encryption. The SSH2 protocol enforces running the key-exchange phase and changing the encryption and integrity keys for the session. Key exchange is done periodically, after specified seconds or after specified bytes of data have passed over the connection. You can configure thresholds for SSH rekeying, FCS_SSHS_EXT.1.8 and FCS_SSHC_EXT.1.8. The TSF ensures that within the SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of the transmitted data. When either of the thresholds are reached, a rekey must be performed.