Configure SSH on the Evaluated Configuration for NDcPPv2.2e
SSH through remote management interface allowed in the evaluated configuration. This topic describes how to configure SSH for remote management of TOE. The following algorithms that needs to be configured to validate SSH for NDcPPv2.2e.
To configure SSH on the TOE:
Specify the permissible SSH host-key algorithms for the system services.
[edit] security-administrator@host:fips# set system services ssh hostkey-algorithm ssh-ecdsa security-administrator@host:fips# set system services ssh hostkey-algorithm no-ssh-dss security-administrator@host:fips# set system services ssh hostkey-algorithm ssh-rsa security-administrator@host:fips# set system services ssh hostkey-algorithm no-ssh-ed25519
Specify the SSH key-exchange for Diffie-Hellman keys for the system services.
[edit] security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp256 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp384 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp521
Specify all the permissible message authentication code algorithms for SSHv2
[edit] security-administrator@host:fips# set system services ssh macs hmac-sha1 security-administrator@host:fips# set system services ssh macs hmac-sha2-256 security-administrator@host:fips# set system services ssh macs hmac-sha2-512
Specify the ciphers allowed for protocol version 2.
[edit] security-administrator@host:fips# set system services ssh ciphers aes128-cbc security-administrator@host:fips# set system services ssh ciphers aes256-cbc security-administrator@host:fips# set system services ssh ciphers aes128-ctr security-administrator@host:fips# set system services ssh ciphers aes256-ctr
-
Commit the changes:
[edit] security-administrator@host:fips# commit
To disable SSH service, you can deactivate and commit the SSH configurations:
security-administrator@host:fips# deactivate system services ssh
To disable Netconf service, you can deactivate and commit the netconf configurations:
security-administrator@host:fips# deactivate system services netconf ssh
Supported SSH hostkey algorithm:
ssh-ecdsa Allow generation of ECDSA host-key ssh-rsa Allow generation of RSA host-key
Supported SSH key-exchange algorithm:
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Supported MACs algorithm:
hmac-sha1 Hash-based MAC using Secure Hash Algorithm (SHA1) hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
aes128-cbc 128-bit AES with Cipher Block Chaining aes128-ctr 128-bit AES with Counter Mode aes256-cbc 256-bit AES with Cipher Block Chaining aes256-ctr 256-bit AES with Counter Mode