Extreme SLX-OS Security Hardening Guide, 20.6.1

SSH ciphers

The following ciphers are recommended for the SSH client and SSH server:

aes256-ctr
aes256-cbc

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – Configure SSH Ciphers for specific guidance configuring SSH ciphers.

SSH MAC algorithms

The following MAC algorithms are recommended for the SSH client and SSH server:

hmac-sha2-256
hmac-sha2-512

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – Configure SSH MAC for specific guidance configuring SSH MAC algorithms.

SSH Key-exchange

The following MAC algorithms are recommended for the SSH client and SSH server:

ecdh-sha2-nistp256
diffie-hellman-group14-sha1

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – Configure SSH Key-exchange for specific guidance configuring SSH Key-exchange algorithms.

SSH server timeout and login policies

Enter the ssh server max-idle-timeout command to set the timeout value for SSH connections to the server. This setting affects ssh connections to the server including the netconf sessions.

device(config)# ssh server max-idle-timeout 20

Enter the sshserver max-auth-tries command to set the number of login attempts

device(config)# ssh server max-auth-tries 2

Enter the sshserver max-login-timeout command to set the login timeout. Set the value to an appropriate timeout period in the administrator‘s environment.

device(config)# ssh server max-login-timeout 30

ConfiguringSSH session re-key interval by volume and time

The SSH servers can trigger re-keying once a certain time interval is reached or data traffic reaches a specified volume. During re-keying, a set of key exchange messages are transferred between the SSH client and the server, changing the key used for the session security.

Re-keying by volume

The re-key-volumeoption cannot exceed a value equal to 1024 MB. The default value is 1024 MB. The range of the rekey volume configured using the ssh-server command is 512 to 1024 MB.

device(config)# ssh server rekey-volume ? Possible completions:

<DECIMAL> <512-4095> Megabytes"

Re-keying by time

The SSH rekey can also be configured based on time. The default value is 3600 seconds. The following command is used to specify the time.

device(config)# ssh server rekey-interval ?Possible completions:

<DECIMAL> <900-3600> Seconds

Configure SSH authentication method

The SSH provides public key and password authentication methods, including support for X.509 v3 certificates.

To use SSH public-key authentication, enter the certutil import sshkey directory pubkey-directoryfilefilenameprotocol SCP host remote-ip user user-account password password command to import the public key.

device# certutil import sshkey user admin host 10.70.4.106 directory /users/home40/bmeenaks/.ssh file id_rsa.pub login fvt

Password: ***********

2012/11/14-10:28:58, [SEC-3050], 75,, INFO,
        VDX, Event: sshutil, Status: success, Info: Imported SSH public key from 10.70.4.106 for
        user 'admin'.

To support password less SSH authentication, externally generated key pairs using RSA-2048.

Reference the Extreme SLX-OS Security Configuration Guide, 20.2.1 – Secure Shell for further guidance configuring SSH authentication method.

Disable telnet server

Enterthe telnet server shutdown command in global configuration mode to disable the Telnet server.

device(config)# telnet server shutdown

SSH Configuration