Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

set ssh macs

Use this command to list the allowed Message Authentication Code (MACs) in order of precedence from high to low.

Syntax

set ssh macs {[hmac-sha1-etm@openssh.com] [hmac-md5-etm@openssh.com] [hmac-ripemd160-etm@openssh.com] [hmac-sha1-96-etm@openssh.com] [hmac-md5-96-etm@openssh.com] [hmac-sha1] [hmac-md5] [hmac-ripemd160] [hmac-ripemd160@openssh.com] [hmac-sha1-96] [hmac-md5-96]}

Parameters

hmac-sha1-etm @openssh.com Specifies the SHA-1 with 20-byte digest and key length, encrypt-then-mac as a member of the allowed MAC list.
hmac-md5-etm @openssh.com Specifies the MD5 with 16-byte digest and key length, encrypt-then-mac as a member of the allowed MAC list.
hmac-ripemd160-etm@openssh.com Specifies the RIPEMD-160 algorithm with 20-byte digest length, encrypt-then-mac as a member of the allowed MAC list.
hmac-sha1-96-etm @openssh.com Specifies the SHA-1 with 20-byte key length and 12-byte digest length, encrypt-then-mac as a member of the allowed MAC list.
hmac-md5-96-etm @openssh.com Specifies the MD5 with 16-byte key length and 12-byte digest length, encrypt-then-mac, as a member of the allowed MAC list.
hmac-sha1 Specifies the SHA-1 with 20-byte digest and key length as a member of the allowed MAC list.
hmac-md5 Specifies the MD5 with 16-byte digest and key length as a member of the allowed MAC list.
hmac-ripemd160 Specifies the RIPEMD-160 algorithm with 20-byte digest length as a member of the allowed MAC list.
hmac-ripemd160 @openssh.com Specifies the alias for hmac-ripemd160 MAC.
hmac-sha1-96 Specifies the SHA-1 with 20-byte key length and 12-byte digest length as a member of the allowed MAC list.
hmac-md5-96 Specifies the MD5 with 16-byte key length and 12-byte digest length as a member of the allowed MAC list.

Defaults

None.

Mode

All command modes.

Usage

During the handshake between an SSH client and an SSH server, each side sends a proposal of cryptographic MACs. MACs are entered in order of precedence from high to low. Applied MACs default to all supported MACs in the following order of precedence: hmac-sha1-etm@openssh.com, hmac-md5-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-sha1, hmac-md5, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, and hmac-md5-96.

When in FIPS mode, only the following FIPS compliant MACs are allowed (listed in the default order of precedence from high to low): hmac-sha1 and hmac-sha1-96. If non-FIPS MACs are configured when booting in FIPS mode, SSH uses the default MACs list.

Example

This example shows how to limit allowed SSH MACs in order of precedence from high to low to hmac-sha1-etm@openssh.com and hmac-md5-96:

System(rw)->set ssh macs hmac-sha1-etm@openssh.com hmac-md5-96
System(rw)->
Published May 2016prev | next

Email this topicEmail this topic

Print this pagePrint this page