SSH Proxy Encryption and Key Exchange Algorithms

2min

SSH or secure shell provides a mechanism to establish a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth. To secure the transmission of information, SSH employs a number of different types of data manipulation techniques at various points in the transaction.

System admins can configure the SSH Proxy to enable or disable key exchange and authentication algorithms used between the user and the SSH Proxy.
To configure the SSH Proxy for available key exchange and authentication algorithms:
Establish an SSH connection to the Kron PAM server
Set the required parameters in /u01/nssoapp/conf/nsso.properties with the commands below. Multiple values can be used when separated with a comma “,”.
cd /u01/nssoapp/conf/
vi nsso.properties
Add/edit the following parameters with the vi editor.

All algorithms supported by SSH Proxy both on the server and client side are shown in the table below.

By default, only the algorithms considered secure soon have been enabled at the time of installation. Therefore, we recommend proceeding with caution when considering changes to the nsso.properties parameter.
Parameter
Avaible Values
nsso.server.kex.algorithms
diffie-hellman-group1-sha1,diffie-hellman group14-sha1
nsso.server.host.key.algorithms
ssh-dss,ssh-dsa,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
nsso.server.encryption.algorithms
aes192-cbc,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc,aes256-cbc,aes192-ctr,aes256-ctr
nsso.server.mac.algorithms
hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5
nsso.client.kex.algorithms
diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp521,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1
nsso.client.host.key.algorithms
ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 
nsso.client.encryption.algorithms
aes192-cbc,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc,aes256-cbc,aes192-ctr,aes256-ctr
nsso.client.mac.algorithms
hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512,hmac-sha2-256
﻿

Parameter	Avaible Values
nsso.server.kex.algorithms	diffie-hellman-group1-sha1,diffie-hellman group14-sha1
nsso.server.host.key.algorithms	ssh-dss,ssh-dsa,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
nsso.server.encryption.algorithms	aes192-cbc,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc,aes256-cbc,aes192-ctr,aes256-ctr
nsso.server.mac.algorithms	hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5
nsso.client.kex.algorithms	diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,ecdh-sha2-nistp521,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1
nsso.client.host.key.algorithms	ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
nsso.client.encryption.algorithms	aes192-cbc,aes128-ctr,aes128-cbc,blowfish-cbc,3des-cbc,aes256-cbc,aes192-ctr,aes256-ctr
nsso.client.mac.algorithms	hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-512,hmac-sha2-256

SSH Proxy Connection Interfaces

Reason Field in SSH Connections