Configure SSH on the Evaluated Configuration
This topic describes how to configure SSH for remote management of TOE. The following algorithms that needs to be configured to validate SSH.
To configure SSH on the TOE:
Specify the permissible SSH host-key algorithms for the system services.
[edit] security-administrator@host:fips# set system services ssh hostkey-algorithm-list rsa security-administrator@host:fips# set system services ssh hostkey-algorithm-list ecdsa-sha2-nistp256 security-administrator@host:fips# set system services ssh hostkey-algorithm-list ecdsa-sha2-nistp384 security-administrator@host:fips# set system services ssh hostkey-algorithm-list ecdsa-sha2-nistp521
Note that configuring
rsaenablesssh-rsa,rsa-sha2-256, andrsa-sha2-512.Specify the SSH key-exchange for Elliptic Curve Diffie-Hellman keys for the system services.
[edit] security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp256 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp384 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp521
Specify all the permissible message authentication code algorithms for SSHv2
[edit] security-administrator@host:fips# set system services ssh macs hmac-sha2-256 security-administrator@host:fips# set system services ssh macs hmac-sha2-512
Specify the ciphers allowed for protocol version 2.
[edit] security-administrator@host:fips# set system services ssh ciphers aes128-ctr security-administrator@host:fips# set system services ssh ciphers aes256-ctr
-
Commit the changes:
[edit] security-administrator@host:fips# commit
Supported SSH hostkey algorithm:
rsa Allow generation of ssh-rsa, rsa-sha2-256, rsa-sha2-512 host-key ecdsa-sha2-nistp256 Allow generation of ecdsa-sha2-nistp256 host-key ecdsa-sha2-nistp384 Allow generation of ecdsa-sha2-nistp384 host-key ecdsa-sha2-nistp521 Allow generation of ecdsa-sha2-nistp521 host-key
Supported SSH key-exchange algorithm:
ecdsa-sha2-nistp256 Allow generation of ECDSA host-key with NIST P-256 curve ecdsa-sha2-nistp384 Allow generation of ECDSA host-key with NIST P-384 curve ecdsa-sha2-nistp521 Allow generation of ECDSA host-key with NIST P-521 curve
Supported MACs algorithm:
hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
aes128-ctr 128-bit AES with Counter Mode aes256-ctr 256-bit AES with Counter Mode