SSH Proxy Encryption and Key Exchange Algorithms
SSH or secure shell provides a mechanism to establish a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth. To secure the transmission of information, SSH employs a number of different types of data manipulation techniques at various points in the transaction.
System admins can configure the SSH Proxy to enable or disable key exchange and authentication algorithms used between the user and the SSH Proxy. To configure the SSH Proxy for available key exchange and authentication algorithms:
- Establish an SSH connection to the Kron PAM server
- Set the required parameters in /u01/nssoapp/conf/nsso.properties with the commands below. Multiple values can be used when separated with a comma “,”. cd /u01/nssoapp/conf/ vi nsso.properties
- Add/edit the following parameters with the vi editor.
All algorithms supported by SSH Proxy both on the server and client side are shown in the table below.
By default, only the algorithms considered secure soon have been enabled at installation time. Therefore, we recommend caution when considering changes to the nsso.properties parameter.
Parameter | Avaible Values |
nsso.server.kex.algorithms | diffie-hellman-group1-sha1,diffie-hellman group14-sha1 |
nsso.server.host.key.algorithms | ssh-dss,ssh-dsa,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 |
nsso.server.encryption.algorithms | aes192-cbc,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc,aes256-cbc,aes192-ctr,aes256-ctr |
nsso.server.mac.algorithms | hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5 |
nsso.client.kex.algorithms | diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp521,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1 |
nsso.client.host.key.algorithms | ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 |
nsso.client.encryption.algorithms | aes192-cbc,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc,aes256-cbc,aes192-ctr,aes256-ctr |
nsso.client.mac.algorithms | hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512,hmac-sha2-256 |
In some use cases, running automated commands at the beginning of the SSH session may be necessary.
To give an example of one of these scenarios, the end user may be requested to use an account with restricted access to start an SSH session. In this case, a privilege escalation script can be written using the auth-script feature.
In this way, even though that particular account isn't allowed to reach the device with SSH protocol, the end user will be able to be connected to the device with another account's credential in the background (via global username or SAPM). Then due to running the script, the end-user will be able to use the restricted account's privilege commands on that device through SSH protocol.
To use this feature, an authScript property key is defined at the Device Group level and the defined script runs on the target SSH device at the beginning of the end user's SSH session.
Accounts on SAPM can also be used in the script. The following format is used for this:
${sapm:<Username of SAPM Account>}
This allows all devices in the device group to use their own SAPM account password.
Device Group level property keys apply to all of the devices in it.