Secure Shell

Secure Shell (SSH) is a protocol for secure remote login over an insecure network. SSH provides a secure substitute for Telnet by encrypting communications between two hosts.

The S- K- and 7100-Series SSHv2 implementation includes:

An SSH server resides on the S- K- or 7100-Series platform and listens for client connection requests. Once a request is authenticated, a secure connection is formed through which all subsequent traffic is sent. All traffic is encrypted across the secure channel, which ensures data integrity. This prevents someone from seeing clear text passwords or file content, as is possible with the Telnet application.

Once SSH has been enabled and the S- K- or 7100-Series has at least one valid IP address, you can establish an SSH session from any TCP/IP based node on the network, by using SSH to connect to an IP address, and entering your user name and password. Refer to the instructions included with your SSH application for information about establishing a session.

SSH is activated by enabling the SSH server on the device. Enabling the server automatically generates a host key for the server, used during the life of the client to server connection. The SSH server can be reinitialized. Reinitializing the server clears all current client to server connections. Reinitializing the server does not reinitialize the host key. Should you believe the host key has been compromised, or otherwise wish to change it, the host key can be reinitialized with a separate command.

During the handshake between an SSH client and an SSH server, each side sends a proposal of cryptographic Ciphers and Message Authentication Code (MAC)s. SSH Ciphers and MACs are applied to all new inbound (SSH server) and outbound (SSH client) SSH sessions. Existing sessions remain unchanged. Ciphers and MACs are entered in order of precedence from high to low.

Applied SSH Ciphers default to all supported ciphers in the following order of precedence: aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, blowfish-cbc, and cast128-cbc.

When in FIPS mode, only the following FIPS compliant Ciphers are allowed (listed in the default order of precedence from high to low): aes128-cbc, aes192-cbc, aes256-cbc, and 3des-cbc. If non-FIPS Ciphers are configured when booting in FIPS mode, SSH uses the default Cipher list.

Use the set ssh ciphers command to administratively change the applied SSH Ciphers list. When using this command the order of precedence is modified to the order the Ciphers are entered. Any supported Cipher not entered is no longer allowed.

Applied MACs default to all supported MACs in the following order of precedence: hmac-sha1-etm @openssh.com, hmac-md5-etm @openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm @openssh.com, hmac-md5-96-etm @openssh.com, hmac-sha1, hmac-md5, hmac-ripemd160, hmac-ripemd160 @openssh.com, hmac-sha1-96, and hmac-md5-96.

When in FIPS mode, only the following FIPS compliant MACs are allowed (listed in the default order of precedence from high to low): hmac-sha1 and hmac-sha1-96. If non-FIPS MACs are configured when booting in FIPS mode, SSH uses the default MACs list.

Use the set ssh macs command to administratively change the applied SSH MACs list. When using this command the order of precedence is modified to the order the MACs are entered. Any supported MAC not entered is no longer allowed.