Configuring Message Authentication

The SSH server and SSH client maintain separate lists of the message authentication algorithms that each supports. Lists are kept for inbound and outbound algorithms. For the server, inbound means the algorithms that the server supports for information coming in from a client. For the server, outbound means the algorithms that the server supports for information it sends out to a client. You must configure each list separately. By default, all of the supported encryption algorithms are available. You need to configure encryption only if you need to specifically remove or add any supported algorithm from the list. The system supports the following SSH algorithms for hash function-based message authentication:

• hmac-sha1—Uses Secure Hash Algorithm 1 (SHA-1) to create a 160-bit message digest from which it generates the MAC.
• hmac-sha1-96—Uses the first 96 bits of the SHA-1 message digest to generate the MAC.
• hmac-md5—Uses MD5 hashing to create a 128-bit message digest from which it generates the MAC.

Although it is not recommended, you can also specify none. In this case, the system does not verify the integrity of the data.

ip ssh mac

• Use to add a message authentication algorithm to the specified support list for the SSH server.

  Example 1—This example adds the hmac-md5 algorithm to the list of supported outbound algorithms.

  host1(config)#ip ssh mac server-to-client hmac-md5

• If you to not specify a direction (client-to-server or server-to-client), the command applies the algorithm to both inbound and outbound lists.
• The default version restores the specified list to the factory default, which includes all supported algorithms (hmac-md5, hmac-sha1, and hmac-sha1-96). The default list does not include the none option.
• Example 2—This example restores the hmac-sha1 algorithm to the list of supported inbound algorithms.

  host1(config)#ip ssh mac client-to-server default hmac-sha1

• Use the no version to remove or exclude an algorithm from the specified list.

  Example 3—This example removes the hmac-sha1 algorithm from the list of supported inbound algorithms.

  host1(config)#ip ssh mac client-to-server no hmac-sha1

• See ip ssh mac.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.