SSH is an allowed remote management interface in the evaluated configuration. This
topic describes how to configure SSH on the device.
To configure SSH on the device:
-
Specify the permissible SSH host-key algorithms for the system services.
[edit]
security-administrator@host:fips# set system services ssh hostkey-algorithm-list ecdsa-sha2-nistp256
security-administrator@host:fips# set system services ssh hostkey-algorithm-list ecdsa-sha2-nistp384
security-administrator@host:fips# set system services ssh hostkey-algorithm-list ecdsa-sha2-nistp521
security-administrator@host:fips# set system services ssh hostkey-algorithm-list rsa
Note:
Although the last hostkey algorithm option mentioned above only mentions
RSA, it covers all the claimed RSA algorithms, that is SSH-RSA,
RSA-SHA2-256, and RSA-SHA2-512.
- Specify the SSH key-exchange for Diffie-Hellman keys
for the system services.
[edit ]
security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp256
security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp384
security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp521
- Specify all the permissible message authentication code
algorithms for SSHv2.
[edit ]
security-administrator@host:fips# set system services ssh macs hmac-sha2-256
security-administrator@host:fips# set system services ssh macs hmac-sha2-512
- Specify the ciphers allowed for protocol version 2.
[edit ]
security-administrator@host:fips# set system services ssh ciphers aes128-cbc
security-administrator@host:fips# set system services ssh ciphers aes256-cbc
security-administrator@host:fips# set system services ssh ciphers aes128-ctr
security-administrator@host:fips# set system services ssh ciphers aes256-ctr
-
Commit the changes:
[edit ]
security-administrator@host:fips# commit
Note:
To disable SSH service, you can deactivate SSH configurations:
security-administrator@host:fips# deactivate system services ssh
Note:
To disable Netconf service, you can deactivate netconf configurations:
security-administrator@host:fips# deactivate system services netconf ssh
Supported SSH hostkey algorithm:
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa
Supported SSH key-exchange algorithm:
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256
ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384
ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Supported MAC algorithm:
hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2)
hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
aes128-cbc 128-bit AES with Cipher Block Chaining
aes128-ctr 128-bit AES with Counter Mode
aes256-cbc 256-bit AES with Cipher Block Chaining
aes256-ctr 256-bit AES with Counter Mode
Note:
Integrity algorithms supported for the NDcPPv3.0e are hmac-sha2-256 (RFC 6668)
and hmac-sha2-512 (RFC 6668).
Note:
Key establishment algorithms supported for the NDcPPv3.0e are ecdh-sha2-nistp256
(RFC 5656), ecdh-sha2-nistp384 (RFC 5656), and ecdh-sha2-nistp521 (RFC
5656).
