Configure SSH en la configuración evaluada
SSH es una interfaz de administración remota permitida en la configuración evaluada. En este tema se describe cómo configurar SSH en el dispositivo.
Los siguientes algoritmos que deben configurarse para validar SSH para FIPS.
Para configurar SSH en el DUT:
-
Especifique los algoritmos de clave de host SSH permitidos para los servicios del sistema.
[edit] security-administrator@host:fips# set system services ssh hostkey-algorithm ssh-ecdsa security-administrator@host:fips# set system services ssh hostkey-algorithm no-ssh-dss security-administrator@host:fips# set system services ssh hostkey-algorithm ssh-rsa
-
Especifique el intercambio de claves SSH para las claves Diffie-Hellman para los servicios del sistema.
[edit] security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp256 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp384 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp521
-
Especifique todos los algoritmos de código de autenticación de mensajes permitidos para SSHv2
[edit] security-administrator@host:fips# set system services ssh macs hmac-sha1 security-administrator@host:fips# set system services ssh macs hmac-sha2-256 security-administrator@host:fips# set system services ssh macs hmac-sha2-512
-
Especifique los cifrados permitidos para la versión 2 del protocolo.
[edit] security-administrator@host:fips# set system services ssh ciphers aes128-cbc security-administrator@host:fips# set system services ssh ciphers aes256-cbc security-administrator@host:fips# set system services ssh ciphers aes128-ctr security-administrator@host:fips# set system services ssh ciphers aes256-ctr
Algoritmo de clave de host SSH compatible:
ssh-ecdsa Allow generation of ECDSA host-key ssh-rsa Allow generation of RSA host-key
Algoritmo de intercambio de claves SSH compatible:
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Algoritmo MAC compatible:
hmac-sha1 Hash-based MAC using Secure Hash Algorithm (SHA1) hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Algoritmo de cifrado SSH compatible:
aes128-cbc 128-bit AES with Cipher Block Chaining aes128-ctr 128-bit AES with Counter Mode aes192-cbc 192-bit AES with Cipher Block Chaining aes192-ctr 192-bit AES with Counter Mode aes256-cbc 256-bit AES with Cipher Block Chaining aes256-ctr 256-bit AES with Counter Mode