SSH

Connections and Encryption

On the Connections and Encryption page, you can create connection rules that restrict connections based on various selectors. You can also set the ciphers, MACs and KEXs used for the connections.

The selectors define which connections a connection rule applies to. The order of the rules is important. The first matching rule is used and the remaining rules are ignored.

If no selectors (or only empty selectors) are specified in a connection rule, the rule matches all connections. In the simple GUI mode, there is only one connection rule that is used for all connections.

If a user does not match any selectors in the connection rules, the connection is allowed with server default connection settings.

To add a new connection rule, click the Add button below the tree view. Each rule will have a sub-page with two tabs. On the Selectors tab, you can edit the selectors of the rule and define whether the connection is allowed or denied, and on the Parameters tab, you can configure the settings for the rule.

To edit a connection rule, select a connection item on the tree view. For more information, see Editing Connection Rules.

To change the order of the rules, select a connection item on the tree view and use the Up and Down buttons. The rules are read in order, and the first matching connection rule on the list is used.

To delete a connection rule, select a connection item and click Delete.

Editing Connection Rules

Each item under Connections and Encryption has two tabs, Selectors and Parameters. The Selectors tab is shown only in the advanced GUI mode.

Selectors (Advanced Mode)

On the Selectors tab, you can configure the selectors that apply to the connection rule and define whether the connection is allowed or denied.

Tectia Server Configuration - Connections and Encryption page - Selectors tab

Figure 4.28. Tectia Server Configuration - Connections and Encryption page - Selectors tab

Name

Enter a name for the connection rule.

Selector list view

The selector list view shows the selectors that apply to the rule.

To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. The Add Selector dialog box opens allowing you to specify the selector type. For more information on the different selector attributes, see Editing Selectors.

Only the Interface and IP selector attributes are relevant for connection rules. For example, the user name is not yet available when the connection rules are processed. For more information, see Using Selectors in Configuration File.

To remove a selector, choose the selector from the list view on the Selectors tab and click Delete Selector. This will delete the selector and all its attributes.

To add a new attribute to a selector, choose a selector from the list and click Add Attribute. The Add Selector dialog box opens. For more information on the different selector attributes, see Editing Selectors.

To edit a selector attribute, choose the attribute from the list and click Edit Attribute. The relevant selector dialog box opens. For more information on the different selector attributes, see Editing Selectors .

To remove a selector attribute, choose the attribute from the list and click Delete Attribute. Note that a selector with no attributes will match everything.

Connections

Select whether the connection is allowed or denied.

If you select to deny the connection, the Parameters tab is disabled.

Parameters

On the Parameters tab, you can configure the allowed ciphers, MACs, host key algorithms and KEXs for the connection.

Tectia Server Configuration - Connections and Encryption page - Parameters tab

Figure 4.29. Tectia Server Configuration - Connections and Encryption page - Parameters tab

Detect dead connections using keep alive messages

Select this check box to send keep alive messages to the other side. If they are sent, a broken connection or crash of one of the machines will be properly noticed. This also means that connections will die if the route is down temporarily.

Rekey Interval

Specify the number of Seconds or transferred Bytes after which the key exchange is done again.

If a value for both Seconds and Bytes is specified, rekeying is done whenever one of the values is reached, after which the counters are reset.

The defaults are 3600 seconds (1 hour) and 1000000000 bytes (~1 GB). The value 0 (zero) turns rekey requests off. This does not prevent the client from requesting rekeys.

Encryption

Under Encryption, select the Ciphers, MACs, Host key algorithms and KEXs allowed for the connection from the list. To deselect an already selected algorithm, click on it again.

The default ciphers, MACs, host key algorithms and KEXs are marked in the list initially with a gray background.

Tectia proprietary algorithms are marked with (Tectia) and are operable with Tectia products only. They correspond to the algorithms that end with @ssh.com in the server configuration file.

Ciphers

The following ciphers are supported (the ones allowed by default are written in bold):

  • AES-128-CBC

  • AES-128-CTR

  • AES-192-CBC

  • AES-192-CTR

  • AES-256-CBC

  • AES-256-CTR

  • CryptiCore (Tectia)

  • 3DES

  • SEED

  • Arcfour

  • Blowfish

  • Twofish

  • Twofish-128

  • Twofish-192

  • Twofish-256

The ciphers that can operate in the FIPS mode are 3DES and both the CBC-mode and CTR-mode AES-128, AES-192, and AES-256.

MACs

The following MACs are supported (the ones allowed by default are written in bold):

  • HMAC-SHA1

  • HMAC-SHA1-96

  • HMAC-SHA2-256

  • HMAC-SHA256-2 (Tectia/Old)

  • HMAC-SHA224 (Tectia)

  • HMAC-SHA256 (Tectia)

  • HMAC-SHA384 (Tectia)

  • HMAC-SHA2-512

  • HMAC-SHA512 (Tectia)

  • CryptiCore (Tectia)

  • HMAC-MD5

  • HMAC-MD5-96

All the HMAC-SHA (both HMAC-SHA1 and HMAC-SHA2) algorithm variants listed above can operate in the FIPS mode.

Host key algorithms

The following host key algorithms are supported (the ones allowed by default are written in bold):

  • ssh-dss

  • ssh-rsa

  • ssh-dss-sha224 (Tectia)

  • ssh-dss-sha256 (Tectia)

  • ssh-dss-sha384 (Tectia)

  • ssh-dss-sha512 (Tectia)

  • ssh-rsa-sha224 (Tectia)

  • ssh-rsa-sha256 (Tectia)

  • ssh-rsa-sha384 (Tectia)

  • ssh-rsa-sha512 (Tectia)

  • x509v3-sign-dss

  • x509v3-sign-rsa

  • x509v3-sign-dss-sha224 (Tectia)

  • x509v3-sign-dss-sha256 (Tectia)

  • x509v3-sign-dss-sha384 (Tectia)

  • x509v3-sign-dss-sha512 (Tectia)

  • x509v3-sign-rsa-sha224 (Tectia)

  • x509v3-sign-rsa-sha256 (Tectia)

  • x509v3-sign-rsa-sha384 (Tectia)

  • x509v3-sign-rsa-sha512 (Tectia)

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp521

  • x509v3-ecdsa-sha2-nistp256

  • x509v3-ecdsa-sha2-nistp384

  • x509v3-ecdsa-sha2-nistp521

KEXs

The following KEX methods are supported (the ones allowed by default are written in bold):

  • DH-Group1-SHA1

  • DH-Group14-SHA1

  • DH-Group14-SHA224 (Tectia)

  • DH-Group14-SHA256 (Tectia)

  • DH-Group15-SHA256 (Tectia)

  • DH-Group15-SHA384 (Tectia)

  • DH-Group16-SHA384 (Tectia)

  • DH-Group16-SHA512 (Tectia)

  • DH-Group18-SHA512 (Tectia)

  • DH-GEX-SHA256

  • DH-GEX-SHA1

  • DH-GEX-SHA224 (Tectia)

  • DH-GEX-SHA384 (Tectia)

  • DH-GEX-SHA512 (Tectia)

  • ECDH-NISTP256

  • ECDH-NISTP384

  • ECDH-NISTP521

All the supported KEXs can operate in the FIPS mode on Windows. For more information on the FIPS-Certified Cryptographic Library, see Cryptographic library.