Configuring SSH on the Evaluated Configuration
SSH is an allowed remote management interface in the evaluated configuration. This topic describes how to configure SSH on the device.
Before you begin, log in with your root account on the device.
To configure SSH on the device:
- Specify the permissible SSH host-key algorithms for the
system services.[edit ]user@host# set system services ssh hostkey-algorithm ssh-ecdsauser@host# set system services ssh hostkey-algorithm no-ssh-dssuser@host# set system services ssh hostkey-algorithm ssh-rsa
- Specify the SSH key-exchange for Diffie-Hellman keys
for the system services.[edit ]user@host# set system services ssh key-exchange dh-group14-sha1user@host# set system services ssh key-exchange ecdh-sha2-nistp256user@host# set system services ssh key-exchange ecdh-sha2-nistp384user@host# set system services ssh key-exchange ecdh-sha2-nistp521
- Specify all the permissible message authentication code
algorithms for SSHv2.[edit ]user@host# set system services ssh macs hmac-sha1user@host# set system services ssh macs hmac-sha2-256user@host# set system services ssh macs hmac-sha2-512
- Specify the ciphers allowed for protocol version 2.[edit ]user@host# set system services ssh ciphers aes128-cbcuser@host# set system services ssh ciphers aes256-cbcuser@host# set system services ssh ciphers aes128-ctruser@host# set system services ssh ciphers aes256-ctr
- Specify the number of minutes or maximum amount of data,
before a rekey is forced on a session. [edit system services ssh]user@host# set rekey time-limit 60user@host# set rekey data-limit 1g
Supported SSH hostkey algorithm:
ssh-ecdsa Allow generation of ECDSA host-key ssh-rsa Allow generation of RSA host-key
Supported SSH key-exchange algorithm:
dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Supported MAC algorithm:
hmac-sha1 Hash-based MAC using Secure Hash Algorithm (SHA1) hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
aes128-cbc 128-bit AES with Cipher Block Chaining aes128-ctr 128-bit AES with Counter Mode aes256-cbc 256-bit AES with Cipher Block Chaining aes256-ctr 256-bit AES with Counter Mode