Your browser does not allow storing cookies. We recommend enabling them.

SSH

Verifying that Cryptographic Hardware is Used

To verify that cryptographic hardware is being used, set the debug level for SecShPlugin*ZosIcsf to 4. Setting all debug to level 4 would have the same result, but you would end up with a large amount of data to look through.

You can use this command from USS to verify that cryptographic hardware is enabled:

> sshg3 -DSecShPlugin*ZosIcsf=4 127.0.0.1

The command should produce the following type of output without CEX:

Setting debug level string to 'SecShPlugin*ZosIcsf=4'.
...

ssh_secsh_plugin_init: Card IO Threshold = 65536
state_determine: Hardware for 3des-cbc: ICSF-CPACF
state_determine: Hardware for aes128-cbc: ICSF-CPACF
state_determine: Hardware for aes192-cbc: ICSF-CPACF
state_determine: Hardware for aes256-cbc: ICSF-CPACF
state_determine: Hardware for aes128-ctr: ICSF-CPACF
state_determine: Hardware for aes192-ctr: ICSF-CPACF
state_determine: Hardware for aes256-ctr: ICSF-CPACF
state_determine: Hardware for aes128-ecb: ICSF-CPACF
        
ssh_secsh_plugin_init: Card HMAC generate = FALSE    
state_determine: Hardware for hmac-sha1: ICSF-CPACF
state_determine: Hardware for hmac-sha1-96: ICSF-CPACF
state_determine: Hardware for hmac-sha256@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha2-256: ICSF-CPACF
state_determine: Hardware for hmac-sha256-2@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha224@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha384@ssh.com: ICSF-CPACF
state_determine: Hardware for hmac-sha2-512: ICSF-CPACF
state_determine: Hardware for hmac-sha512@ssh.com: ICSF-CPACF

The command should produce the following type of output when CEX is enabled:

Setting debug level string to 'SecShPlugin*ZosIcsf=4'.

...

ssh_secsh_plugin_init: Card IO Threshold = 0        
state_determine: Hardware for 3des-cbc:   ICSF-COP
state_determine: Hardware for aes128-cbc: ICSF-COP
state_determine: Hardware for aes192-cbc: ICSF-COP
state_determine: Hardware for aes256-cbc: ICSF-COP
state_determine: Hardware for aes128-ctr: ICSF-COP
state_determine: Hardware for aes192-ctr: ICSF-COP
state_determine: Hardware for aes256-ctr: ICSF-COP
state_determine: Hardware for aes128-ecb: ICSF-COP
        
ssh_secsh_plugin_init: Card HMAC generate = TRUE    
state_determine: Hardware for hmac-sha1: ICSF-COP
state_determine: Hardware for hmac-sha1-96: ICSF-COP
state_determine: Hardware for hmac-sha256@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha2-256: ICSF-COP
state_determine: Hardware for hmac-sha256-2@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha224@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha384@ssh.com: ICSF-COP
state_determine: Hardware for hmac-sha2-512: ICSF-COP
state_determine: Hardware for hmac-sha512@ssh.com: ICSF-COP


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more