Configuring SSH on the Evaluated Configuration
SSH is an allowed remote management interface in the evaluated configuration. This topic describes how to configure SSH on the device.
The following algorithms that needs to be configured to validate SSH for FIPS.
To configure SSH on the DUT:
To disable SSH service, you can deactivate and commit the SSH configurations:
crypto-officer@host:fips# deactivate system services ssh
To disable Netconf service, you can deactivate and commit the netconf configurations:
crypto-officer@host:fips# deactivate system services netconf ssh
Supported SSH hostkey algorithm:
rsa Allow generation of RSA host-key ssh-ecdsa Allow generation of ECDSA host-key
Supported SSH key-exchange algorithm:
dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Supported MAC algorithm:
hmac-sha1 Hash-based MAC using Secure Hash Algorithm (SHA1) hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
aes128-cbc 128-bit AES with Cipher Block Chaining aes128-ctr 128-bit AES with Counter Mode aes192-cbc 192-bit AES with Cipher Block Chaining aes192-ctr 192-bit AES with Counter Mode aes256-cbc 256-bit AES with Cipher Block Chaining aes256-ctr 256-bit AES with Counter Mode
The SSH uses the OpenSSL FIPS approved algorithms by setting the FIPS configuration
file to /etc/ssl/openssl-fips.cnf. Set the configuration file using
the following command from shell:
export OPENSSL_CONF=/etc/ssl/openssl-fips.cnf