Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring SSH on the Evaluated Configuration for NDcPP

  1. Before the administrator begin, log in with the root account on the device running Junos OS Release 23.4R1 and edit the configuration.

Note:

The administrator can enter the configuration commands in any order and commit all the commands at once.
Note:

We recommend SFTP over SCP as a safer alternative. It offers enhanced security and is the preferred option of OpenSSH developers.

SSH through remote management interface allowed in the evaluated configuration. This topic describes how to configure SSH through remote management. The following algorithms that needs to be configured to validate SSH for NDcPP.

To configure SSH on the TOE:

  1. To enable SSH, use the below command:
    To disable SSH, use the below command:
  2. Specify the permissible SSH host-key algorithms for the system services.
    Note:

    Although the last hostkey algorithm option mentioned above only mentions rsa, it covers all the claimed rsa algorithms i.e. ssh-rsa, rsa-sha2-256, and rsa-sha2-512.
  3. Specify the SSH key-exchange for Elliptic Curve Diffie-Hellman keys for the system services.
  4. Specify all the permissible message authentication code algorithms for SSHv2
  5. Specify the ciphers allowed for protocol version 2.
  6. Specify the number of minutes or maximum amount of data, before a rekey is forced on a session.

    Time limit before renegotiating session keys is 1 through 1440 minutes.

    Data limit before renegotiating session keys is 51200 through 4294967295 byte.

The SSH2 protocol provides secure terminal sessions utilizing the secure encryption. The SSH2 protocol enforces running the key-exchange phase and changing the encryption and integrity keys for the session. Key exchange is done periodically, after specified seconds or after specified bytes of data have passed over the connection. The thresholds can be configured for SSH rekeying, FCS_SSH_EXT.1.8. The TSF ensures that within the SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of the transmitted data. When either of the thresholds are reached, a rekey must be performed.

Supported SSH hostkey algorithm:

Supported SSH key-exchange algorithm:

Supported MAC algorithm:

Supported SSH ciphers algorithm:

SSH users are authenticated by passwords or with public key as configured in the system login user hierarchy.

Related Documentation