SSHv2

Secure Shell version 2 (SSHv2) is allowed in FIPS mode.

The following SSH commands are affected when the Extreme device is in FIPS mode:

• The ssh server command enables the SSH server. The SSH server is always enabled; however, to start it, use the crypto key generate command to create host keys.
• The ip ssh encryption aes-only command is disabled.

  During SSH connection, encryption is done using AES 256 or AES 128, depending on client's capability.

• The ip ssh key-authentication command is disabled.
• The ip ssh permit-empty-password command is disabled.
• The ip ssh pub-key-file tftp command is disabled.
• The ip ssh scp command ensures that SCP is enabled to run in FIPS mode. SCP is needed for file communication and the ip ssh scp disable command is disabled in FIPS mode and displays the following message:
  

  FIPS Compliance: SCP needs to be enabled

• The crypto key zeroize command removes configured SSH keys.

Use the show ip ssh config command to display SSH configuration information.

For more information on the show ip ssh config command, refer to the Extreme NetIron Security Configuration Guide.

SSH key generation time is affected by the increased security of authentication and encryption algorithms both in and out of FIPS mode.

The ip ssh password-authentication [ no | yes ] command is used to disable the password authentication for SSH. The ip ssh interactive-authentication [ no | yes ] command is used to disable the interactive authentication for SSH. For more information about these commands, refer to the Extreme NetIron Security Configuration Guide.

Refer to the Extreme NetIron configuration guides for SSH key generation time ranges.