close
keyboard_arrow_left
Table of Contents
- play_arrow Overview
- play_arrow Configuring Administrative Credentials and Privileges
- play_arrow Configuring Roles and Authentication Methods
- Understanding Roles and Services for Junos OS
- Understanding the Operational Environment for Junos OS in FIPS Mode
- Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode
- Downloading Software Packages from Juniper Networks
- Installing Software on a Device with Single Routing Engine
- Understanding Zeroization to Clear System Data for FIPS Mode
- Zeroizing the System
- Enabling FIPS Mode
- Configuring Crypto Officer and FIPS User Identification and Access
- play_arrow Configuring MACsec
- play_arrow Configuring Event Logging
- play_arrow Performing Self-Tests on a Device
- play_arrow Operational Commands
list Table of Contents
Configuring SSH on the Evaluated Configuration for FIPS
date_range
15-Sep-21
SSH through remote management interface allowed in the evaluated configuration. This topic describes how to configure SSH through remote management.
The following algorithms that needs to be configured to validate SSH for FIPS.
To configure SSH on the DUT:
Specify the permissible SSH host-key algorithms for the system services.
content_copy zoom_out_map[edit] user@host# set system services ssh hostkey-algorithm ssh-ecdsa user@host# set system services ssh hostkey-algorithm no-ssh-dss user@host# set system services ssh hostkey-algorithm ssh-rsa
Specify the SSH key-exchange for Diffie-Hellman keys for the system services.
content_copy zoom_out_map[edit] user@host# set system services ssh key-exchange dh-group14-sha1 user@host# set system services ssh key-exchange ecdh-sha2-nistp256 user@host# set system services ssh key-exchange ecdh-sha2-nistp384 user@host# set system services ssh key-exchange ecdh-sha2-nistp521
content_copy zoom_out_map[edit] user@host# set system services ssh key-exchange ecdh-sha2-nistp256 user@host# set system services ssh key-exchange ecdh-sha2-nistp384 user@host# set system services ssh key-exchange ecdh-sha2-nistp521
Specify all the permissible message authentication code algorithms for SSHv2
content_copy zoom_out_map[edit] user@host# set system services ssh macs hmac-sha1 user@host# set system services ssh macs hmac-sha2-256 user@host# set system services ssh macs hmac-sha2-512
Specify the ciphers allowed for protocol version 2.
content_copy zoom_out_map[edit] user@host# set system services ssh ciphers aes128-cbc user@host# set system services ssh ciphers aes256-cbc user@host# set system services ssh ciphers aes128-ctr user@host# set system services ssh ciphers aes256-ctr user@host# set system services ssh ciphers aes192-cbc user@host# set system services ssh ciphers aes192-ctr
Supported SSH hostkey algorithm:
content_copy zoom_out_map
ssh-ecdsa Allow generation of ECDSA host-key ssh-rsa Allow generation of RSA host-key
Supported SSH key-exchange algorithm:
content_copy zoom_out_map
ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512
Supported MAC algorithm:
content_copy zoom_out_map
hmac-sha1 Hash-based MAC using Secure Hash Algorithm (SHA1) hmac-sha2-256 Hash-based MAC using Secure Hash Algorithm (SHA2) hmac-sha2-512 Hash-based MAC using Secure Hash Algorithm (SHA2)
Supported SSH ciphers algorithm:
content_copy zoom_out_map
aes128-cbc 128-bit AES with Cipher Block Chaining aes128-ctr 128-bit AES with Counter Mode aes192-cbc 192-bit AES with Cipher Block Chaining aes192-ctr 192-bit AES with Counter Mode aes256-cbc 256-bit AES with Cipher Block Chaining aes256-ctr 256-bit AES with Counter Mode
