Configuring Supported SSH Ciphers, MACs, and KexAlgorithms

Important:

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

  • After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

Background

You can configure different settings for the SSH daemon on the Gaia Operating System.

You can configure these SSH settings in Gaia Clish:

Setting

Description

SSH Ciphers

SSH uses ciphers for privacy of data it sends over an SSH connection.

SSH Message Authentication Codes

SSH uses Message Authentication Codes to maintain the integrity of each message it sends over and SSH connection. This provides integrity between SSH peers.

SSH Key Exchange Algorithms

SSH uses Key Exchange Algorithms to exchange a shared session key securely with an SSH peer.

SSH Client Alive Interval

In SSHv2, this is a timeout interval (in seconds), after which if no data is received from an SSH client, the sshd daemon sends a message through the encrypted channel to request a response from the client.

This controls the "ClientAliveInterval" parameter for the sshd daemon.

By default, this feature is disabled (the default value is 0).

See https://man7.org/linux/man-pages/man5/sshd_config.5.html.

SSH Password Authentication

Specifies whether password authentication is allowed.

This controls the "PasswordAuthentication" parameter for the sshd daemon.

By default, this feature is enabled (the default value is "yes").

See https://man7.org/linux/man-pages/man5/sshd_config.5.html.

SSH Permit Root Login

Specifies whether the root user can log in over SSH.

This controls the "PermitRootLogin" parameter for the sshd daemon.

By default, this feature is enabled (the default value is "yes").

See https://man7.org/linux/man-pages/man5/sshd_config.5.html.

SSH DNS Usage

Specifies whether the sshd daemon needs to look up the remote hostname and make sure the resolved hostname for the remote IP address maps back to the same IP address.

This controls the "UseDNS" parameter for the sshd daemon.

By default, this feature is disabled (the default value is "no").

See https://man7.org/linux/man-pages/man5/sshd_config.5.html.

set ssh server

      cipher <Cipher>{on | off}

      client-alive-interval 0-65535

      kex <Key Exchange Algorithm> {on | off}

      mac <Message Authentication Code> {on | off}

      password-authentication {yes | no}

      permit-root-login {yes | no | without-password | prohibit-password | forced-commands-only}

      use-dns {yes | no}

show ssh server

      cipher enabled

      cipher supported

      client-alive-interval

      kex enabled

      kex supported

      mac enabled

      mac supported

      password-authentication

      permit-root-login

      use-dns

  • To view the supported SSH Ciphers:

    show ssh server cipher supported

    These are the supported SSH Ciphers:

    • 3des-cbc

    • aes128-cbc

    • aes128-ctr

    • aes128-gcm@openssh.com

    • aes192-cbc

    • aes192-ctr

    • aes256-cbc

    • aes256-ctr

    • aes256-gcm@openssh.com

    • chacha20-poly1305@openssh.com

    • rijndael-cbc@lysator.liu.se

  • To view the enabled SSH Ciphers:

    show ssh server cipher enabled

    These are the SSH Ciphers that are enabled by default:

    • aes128-ctr

    • aes128-gcm@openssh.com

    • aes192-ctr

    • aes256-ctr

    • aes256-gcm@openssh.com

    • chacha20-poly1305@openssh.com

  • To enable or disable the supported SSH Ciphers:

    set ssh server cipher <Cipher> {on | off}

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

  • To view the supported SSH Key Exchange Algorithms:

    show ssh server kex supported

    These are the supported SSH Key Exchange Algorithms:

    • curve25519-sha256

    • curve25519-sha256@libssh.org

    • diffie-hellman-group1-sha1

    • diffie-hellman-group14-sha1

    • diffie-hellman-group14-sha256

    • diffie-hellman-group16-sha512

    • diffie-hellman-group18-sha512

    • diffie-hellman-group-exchange-sha1

    • diffie-hellman-group-exchange-sha256

    • ecdh-sha2-nistp256

    • ecdh-sha2-nistp384

    • ecdh-sha2-nistp521

  • To view the enabled SSH Key Exchange Algorithms:

    show ssh server kex enabled

    These are the SSH Key Exchange Algorithms that are enabled by default:

    • curve25519-sha256

    • curve25519-sha256@libssh.org

    • diffie-hellman-group14-sha1

    • diffie-hellman-group14-sha256

    • diffie-hellman-group16-sha512

    • diffie-hellman-group18-sha512

    • diffie-hellman-group-exchange-sha256

    • ecdh-sha2-nistp256

    • ecdh-sha2-nistp384

    • ecdh-sha2-nistp521

  • To enable or disable the supported SSH Key Exchange Algorithms:

    set ssh server kex <Key Exchange Algorithm> {on | off}

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

  • To view the supported SSH Message Authentication Codes:

    show ssh server mac supported

    These are the supported SSH Message Authentication Codes:

    • hmac-md5-96-etm@openssh.com

    • hmac-md5-etm@openssh.com

    • hmac-sha1

    • hmac-sha1-96-etm@openssh.com

    • hmac-sha1-etm@openssh.com

    • hmac-sha2-256

    • hmac-sha2-256-etm@openssh.com

    • hmac-sha2-512

    • hmac-sha2-512-etm@openssh.com

    • umac-64-etm@openssh.com

    • umac-64@openssh.com

    • umac-128-etm@openssh.com

    • umac-128@openssh.com

  • To view the enabled SSH Message Authentication Codes:

    show ssh server mac enabled

    These are the SSH Message Authentication Codes that are enabled by default:

    • hmac-sha1

    • hmac-sha1-etm@openssh.com

    • hmac-sha2-256

    • hmac-sha2-256-etm@openssh.com

    • hmac-sha2-512

    • hmac-sha2-512-etm@openssh.com

    • umac-64-etm@openssh.com

    • umac-64@openssh.com

    • umac-128-etm@openssh.com

    • umac-128@openssh.com

  • To enable or disable the supported SSH Message Authentication Codes:

    set ssh server mac <Message Authentication Code> {on | off}

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

  • To view the current interval:

    show ssh server client-alive-interval

  • To configure the required interval (in seconds):

    set ssh server client-alive-interval 0-65535

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

  • To view the current permission:

    show ssh server password-authentication

  • To configure the required permission:

    set ssh server password-authentication {yes | no}

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

  • To view the current permission:

    show ssh server permit-root-login

  • To configure the required permission:

    set ssh server permit-root-login {yes | no | without-password | prohibit-password | forced-commands-only}

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

  • To view the current permission:

    show ssh server use-dns

  • To configure the required permission:

    set ssh server use-dns {yes | no}

    Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.