SSH Proxy Encryption and Key Exchange Algorithms

ssh or secure shell provides a mechanism to establish a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth in order to secure the transmission of information, ssh employs a number of different types of data manipulation techniques at various points in the transaction system admins can configure the ssh proxy to enable or disable key exchange and authentication algorithms used between the user and the ssh proxy to configure the ssh proxy for available key exchange and authentication algorithms establish an ssh connection to the single connect server set the required parameters in “/u01/nssoapp/conf/nsso properties” with the commands below multiple values can be used when separated with a comma “,” cd /u01/nssoapp/conf/ vi nsso properties add/edit the following parameters with the vi editor all algorithms supported by ssh proxy both on the server and client side are shown in the table below by default, only the algorithms considered secure in the near future have been enabled at the time of installation therefore, we recommend proceeding with caution when considering changes on the nsso properties parameter parameter avaible values nsso server kex algorithms diffie hellman group1 sha1,diffie hellman group14 sha1 nsso server host key algorithms ssh rsa nsso server encryption algorithms aes192 cbc,aes128 ctr,aes128 cbc,blowfish cbc,3des cbc,aes256 cbc,aes192 ctr,aes256 ctr nsso server mac algorithms hmac md5 96,hmac sha1,hmac sha1 96,hmac md5 nsso client kex algorithms diffie hellman group exchange sha256,ecdh sha2 nistp256,diffie hellman group1 sha1,diffie hellman group14 sha1,ecdh sha2 nistp521,ecdh sha2 nistp384,diffie hellman group exchange sha1 nsso client host key algorithms ssh rsa,ssh dss,ecdsa sha2 nistp256,ecdsa sha2 nistp521,ecdsa sha2 nistp384 nsso client encryption algorithms aes192 cbc,aes128 ctr,aes128 cbc,blowfish cbc,3des cbc,aes256 cbc,aes192 ctr,aes256 ctr nsso client mac algorithms hmac md5 96,hmac sha1,hmac sha1 96,hmac md5,hmac sha2 512,hmac sha2 256 running scripts at the beginning of an ssh session in some use cases, it may be necessary to run automated commands at the beginning of the ssh session to give an example of one of these scenarios, the end user may be requested to use an account with restricted access to start an ssh session in this case, a privilege escalation script can be written using the auth script feature in this way, even though that particular account isn't allowed to reach the device with ssh protocol, the end user will be able to be connected to the device with another account's credential in the background (via global username or sapm) then due to running the script, the end user will be able to use the restricted account's privilege commands on that device through ssh protocol to use this feature, an authscript property key is defined at the device group level and the defined script runs on the target ssh device at the beginning of the end user's ssh session accounts on sapm can also be used in the script the following format is used for this ${sapm \<username of sapm account>} this allows all devices in the device group to use their own sapm account password device group level property keys applies all of devices in it