Advanced: SSH Configuration

Use Security > Advanced > SSH Configuration to configure ciphers, key exchange algorithms and hmacs. The System Manager portal allows you to upload the public keys then enable or disable public key and password authentications. By default, both Public Key Authentication and Password Authentication options are enabled and SSH configurations are applied to both SSH client and server. Configurations persist after a Backup and Restore procedure is completed.

When enabled, SSH public key authentication is attempted first. A valid public key for an authorized administrator account must be uploaded. Otherwise, password authentication is used.

NOTE: The public key authentication is specified by the administrator and is valid only for the user uploading the key. For example, if <admin> is the user uploading the key, then ssh for admin@<ip> will be successful.

The default (non-FIPS) SSH, FIPS SSH, and CC (Common Criteria) SSH configurations have different sets of ciphers, key exchange algorithms and hmacs options, as described in Default SSH configuration, FIPS SSH configuration, and CC SSH configurations.

Default SSH configuration

The following table lists the available options for the default SSH configuration:

table 1. Default SSH configuration options

Configuration

Available

Selected

Cipher

aes256-cbc, aes128-cbc,
chacha20-poly1305

aes256-gcm, aes128-gcm, aes256-ctr, aes128-ctr

Key Exchange Algorithms

ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, curve25519-sha256

diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1

HMAC

 

hmac-sha2-512, hmac-sha2-256,
hmac-sha1

FIPS SSH configuration

The following table lists the available options for the default FIPS SSH configuration:

table 2. FIPS SSH configuration options

Configuration

Available

Selected

Cipher

 

aes256-gcm, aes128-gcm, aes256-ctr, aes128-ctr

Key Exchange Algorithms

 

diffie-hellman-group-exchange-sha256

HMAC

 

hmac-sha2-512, hmac-sha2-256

CC SSH configurations

The following table lists the available options for the default Common Criteria (CC) SSH configuration:

table 3. CC SSH configuration options

Configuration

Available

Selected

Cipher

aes256-gcm, aes128-gcm, aes256-ctr, aes128-ctr

aes256-cbc, aes128-cbc

Key Exchange Algorithms

diffie-hellman-group-exchange-sha256

diffie-hellman-group14-sha1

HMAC

 

hmac-sha2-512, hmac-sha2-256,
hmac-sha1