Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH

Host Keys

To enable elliptic curve host keys for Tectia Client, add the ECDSA host-key algorithms (remove any algorithms you do not wish to allow) within the <hostkey-algorithms> element below any <kexs> element of your ssh-broker-config.xml. If the <kexs> section does not exist, you can place the <hostkey-algorithms> element above the <authentication-methods> element.

...
</kexs>

<hostkey-algorithms>
  <hostkey-algorithm name="ecdsa-sha2-nistp256" />
  <hostkey-algorithm name="ecdsa-sha2-nistp384" />
  <hostkey-algorithm name="ecdsa-sha2-nistp521" />
  <hostkey-algorithm name="ssh-dss" />
  <hostkey-algorithm name="ssh-rsa" />
  <hostkey-algorithm name="ssh-dss-sha256@ssh.com" />
  <hostkey-algorithm name="ssh-rsa-sha256@ssh.com" />
  <hostkey-algorithm name="x509v3-sign-dss" />
  <hostkey-algorithm name="x509v3-sign-rsa" />
  <hostkey-algorithm name="x509v3-sign-dss-sha256@ssh.com" />
  <hostkey-algorithm name="x509v3-sign-rsa-sha256@ssh.com" />
</hostkey-algorithms>

<authentication-methods>
...
[Note]Note

To enable ECDSA host keys for X.509, add also the following hostkey-algorithm names: x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521.

A test connection will look like this (the –vv option was used for basic debug and some noise was removed from the output):

$ sshg3 -vv root@192.51.100.1 
2015-08-24 15:40:28: 6200 Broker_tcp_connect, Dst: 192.51.100.1, Dst Port: 22,  
Src Port: 49189, Local username: johnd 
2015-08-24 15:40:28: 1002 Algorithm_negotiation_success, 
"kex_algorithm=diffie-hellman-group1-sha1, hostkey_algorithm=ecdsa-sha2-nistp256, 
cipher=crypticore128@ ssh.com/crypticore128@ssh.com, 
mac=crypticore-mac@ssh.com/crypticore-mac@ssh.com , compression=none/none", 
Session-Id: 31 
2015-08-24 15:40:29: 6204 Broker_transport_connect, Dst: 192.51.100.1, 
Dst Port: 22, Remote username: root, Src Port: 49189, Local username: johnd,
Session-I d: 31 
2015-08-24 15:40:29: 1003 KEX_success, Algorithm: diffie-hellman-group1-sha1, 
Modulus: 1024 bits, Session-Id: 31, Protocol-session-Id: 
02A94DF2D6B4441C11E4E333E78E0C208728AE50
2015-08-24 15:40:29: 703 Auth_methods_available, Auth methods: 
gssapi-with-mic,password,publickey,keyboard-interactive, Session-Id: 31 
2015-08-24 15:40:29: 6303 Broker_userauth_method_failure, "publickey", 
Session-Id: 31 
 root@192.51.100.1's password:
… 
Server hostkey algorithm: ecdsa-sha2-nistp256 
Server identity: 256 bit ecdsa key
SHA-1: bd6a1d45f262db8095ee5e6a2eb1c3fac7111d00
xozek-palag-hysak-dykym-byhev-velik-piror-cibiz-pycec-culyb-bexox 
Authentication successful.
Last login: Mon Aug 24 2015 08:31:29 -0400 from 192.168.56.1 

===AUTO_SCHEMA_MARKUP===