Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
        Configuration Files >>
        Subconfigurations >>
        Enabling FIPS Mode
        Ciphers and MACs
        Compression
        Configuring Root Logins
        Restricting User Logins
        Subsystems
        Configuring ssh2 for ssh1 Compatibility
        Auditing >>
        Securing SSH Tectia Client and Server >>
    Authentication >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Ciphers and MACs

The algorithm(s) used for symmetric session encryption can be chosen in the sshd2_config and ssh2_config files:

Ciphers             aes128

The system will attempt to use the different encryption ciphers in the sequence specified on the line. Currently supported cipher names are the following:

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • arcfour
  • blowfish-cbc
  • cast128-cbc
  • twofish-cbc
  • twofish128-cbc
  • twofish192-cbc
  • twofish256-cbc
  • cast128-12-cbc@ssh.com
  • des-cbc@ssh.com
  • seed-cbc@ssh.com
  • rijndael-cbc@ssh.com

In the FIPS mode, the following ciphers are supported:

  • 3des-cbc
  • aes128-cbc
  • aes192-cbc
  • aes256-cbc
  • des-cbc@ssh.com

Special values for this option are the following:

  • Any: allows all the cipher values including none
  • AnyStd: allows only standard ciphers and none
  • none: forbids any use of encryption
  • AnyCipher: allows any available cipher apart from the non-encrypting cipher mode none
  • AnyStdCipher: the same as AnyCipher, but includes only those ciphers mentioned in IETF-SecSh-draft (excluding none). This is the default value.

The MAC (Message Authentication Code) algorithm(s) used for data integrity verification can be selected in the sshd2_config and ssh2_config files:

MACs                hmac-sha1,hmac-md5

The system will attempt to use the different HMAC algorithms in the sequence they are specified on the line. Supported MAC names are the following:

  • hmac-md5
  • hmac-md5-96
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha256@ssh.com
  • hmac-sha256-96@ssh.com

In the FIPS mode, only hmac-sha1 is supported.

Special values for this option are the following:

  • Any: allows all the MAC values including none
  • AnyStd: allows only standard MACs and none
  • none: forbids any use of MACs
  • AnyMac: allows any available MAC apart from none
  • AnyStdMac: the same as AnyMac, but includes only those MACs mentioned in IETF-SecSh-draft (excluding none). This is the default value.

Both cipher and MAC can also be defined using command-line arguments with ssh2 and scp2:

$ scp2 -c twofish -m hmac-md5 foobar user@remote:./tmp  

Note: Algorithm names are case-sensitive.

PreviousNextUp[Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice

===AUTO_SCHEMA_MARKUP===