As part of security hardening of the SLX device, several configurations are supported from EFA. These configurations are applicable only for the SLX versions 20.3.2 and above. Any SSH server settings change need SSHD to be restarted ,and hence any client connected via SSH needs to reconnect..
The following configuration are applied on the SLX device during registration in EFA.
Setting | Default Value |
SSHD MAC Algorithms | hmac-sha2-512-etm@openssh .com , hmac-sha2-256-etm@openssh.com ,hmac-sha2-512,hmac-sha2-256 |
SSHD Key Exchange Algorithms | curve25519-sha256, curve25519-sha256@libssh.org ,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 |
Cipher | non-cbc |
The following SLX command is for the SSH configuration on SLX devices:
SLX# config Entering configuration mode terminal SLX(config)# ssh server mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload. SLX(config)# ssh server key-exchange curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload. SLX(config)# ssh server cipher SLX(config)# ssh server cipher non-cbc % Info: Configuration is successful.For this config to take effect immediately, restart SSH server via exec command ssh-server restart or save the config and reload. SLX(config)# exit SLX# ssh-server restart Warning: This operation will disconnect all active SSH sessions. Are you sure you want to restart the SSH server [y/n]? y SSH server is going down for restart NOW !!
The following command shows the SSH configuration parameters on SLX:
SLX# show ssh server status SSH Kex Exchange Algorithm: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 SSH Server Rekey Volume: 1024 SSH Server Auth Tries: 6 SSH Server Login Timeout: 120 SSH Server Cipher: non-cbc SSH Server Mac : hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 VRF-Name: mgmt-vrf Status: Enabled VRF-Name: default-vrf Status: Enabled
The following SLX command disables the Telnet server on mgmt-vrf:
SLX# config Entering configuration mode terminal SLX(config)# telnet server use-vrf mgmt-vrf shutdown
The following command shows the Telnet configuration on SLX:
SLX# show telnet server status VRF-Name: default-vrf Status: Enabled VRF-Name: mgmt-vrf Status: Disabled
The following attributes on the SLX devices (applicable for versions above 20.3.1) are applicable for password configuration:
Setting | Default Value |
---|---|
Max Password Age | 90 |
Force Default Password Change | Disabled |
The following SLX command configures the password attributes on SLX devices:
SLX# config Entering configuration mode terminal SLX(config)# password-attributes max-password-age 365 SLX(config)# password-attributes force-default-password-change
The following command shows the password configuration on SLX:
SLX# show running-config password-attributes password-attributes force-default-password-change password-attributes max-password-age 365
The following SLX command configures TLS on SLX devices: (applicable for versions above 20.3.2):
The minimum version of TLS Configuration on the server is set to 1.2.
SLX# config Entering configuration mode terminal SLX(config)# management-security SLX(mgmt-security)# ssl-profile server SLX(mgmt-sec-ssl-profile-server)# tls min-version 1.2 To view the configuration on SLX, SLX# show running-config management-security ssl-profile server tls management-security ssl-profile server tls min-version 1.2 ! !