Advanced: SSH Configuration

Use Security > Advanced > SSH Configuration to configure ciphers, key exchange algorithms and hmacs. The System Manager portal allows you to upload the public keys then enable or disable public key and password authentications. By default, both Public Key Authentication and Password Authentication options are enabled and SSH configurations are applied to both SSH client and server. Configurations persist after a Backup and Restore procedure is completed.

When enabled, SSH public key authentication is attempted first. A valid public key for an authorized administrator account must be uploaded. Otherwise, password authentication is used.

The public key authentication is specified by the administrator and is valid only for the user uploading the key. For example, if <admin> is the user uploading the key, then ssh for admin@<ip> will be successful.

The default (non-FIPS) SSH, FIPS SSH, and CC (Common Criteria) SSH configurations have different sets of ciphers, key exchange algorithms, and hash-based message authentication code (HMAC) options, as described in Default SSH configuration, FIPS SSH configuration, and CC SSH configurations.

You cannot ssh to a cluster, you must instead ssh to a specific instance.

Default SSH configuration

The following table lists the available options for the default SSH configuration:

Table 35.   Default SSH configuration options

Configuration

Available

Selected

Key Exchange Algorithms

  • ecdh-sha2-nistp256
  • [email protected]
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256

Cipher

HMAC

 

  • hmac-sha2-512
  • hmac-sha2-256

FIPS SSH configuration

The following table lists the available options for the default FIPS SSH configuration:

Table 36.  FIPS SSH configuration options

Configuration

Available

Selected

Cipher

 

  • aes256-gcm
  • aes128-gcm
  • aes256-ctr
  • aes128-ctr

Key Exchange Algorithms

 

  • diffie-hellman-group-exchange-sha256

HMAC

 

  • hmac-sha2-512
  • hmac-sha2-256

CC SSH configurations

The following table lists the available options for the default Common Criteria (CC) SSH configuration:

Table 37.  CC SSH configuration options

Configuration

Available

Selected

Cipher

  • aes256-gcm
  • aes128-gcm
  • aes256-ctr
  • aes128-ctr
  • aes256-cbc
  • aes128-cbc

Key Exchange Algorithms

  • diffie-hellman-group-exchange-sha256

  • diffie-hellman-group-exchange-sha256

HMAC

 

  • hmac-sha2-512
  • hmac-sha2-256