ssh

ssh

disable-ciphers {aes-cbc | aes-ctr}

disable-kex

disable-mac {hmac-sha1 | hmac-sha1-96}

disable_dsa

mgmt-auth {public-key [username/password]|username/password [public-key]}

Description

This command configures SSH access to aMobility Conductor. Public key authentication is supported using a X.509 certificate issued to the management client. If you specify public-key authentication, you need to load the client X.509 certificate intoMobility Conductorand configure certificate authentication for the management user with themgmt-user ssh-pubkeycommand.

The SSH authentication supportshmac-sha1,hmac-sha1-96, andhmac-sha2-256by default. Thehmac-sha2-256parameter can not be disabled.

Parameter

Description

disable-ciphers

Disables cipher authentication for SSH. Specify the cipher to be disabled.

aes-cbc

Disables AES-CBC authentication for SSH. This parameter enables theaes-ctr在cryption.

aes-ctr

Disables AES-CTR authentication for SSH. This parameter enables theaes-cbc在cryption.

disable-kex

Disables key exchange algorithm for SSH authentication.

disable-mac

Disables Message Authentication Code algorithm for SSH authentication.

hmac-sha1

Disables HMAC-SHA1 authentication for SSH.

Starting fromArubaOS8.6.0.5, thessh disable-mac hmac-sha1command disables HMAC-SHA1 authentication and enables HMAC-SHA1-96 and HMAC-SHA2-256 authentication .

hmac-sha1-96

Disables HMAC-SHA1-96 authentication for SSH.

Starting fromArubaOS8.6.0.5,ssh disable-mac hmac-sha1-96command disables HMAC-SHA1-96 authentication and enables HMAC-SHA1 and HMAC-SHA2-256 authentication.

hmac-sha1 hmac-sha1-96 | hmac-sha1-96 hmac-sha1

Disables HMAC-SHA1 and HMAC-SHA1-96 authentication for SSH.

disable_dsa

Disables DSA authentication for SSH. Only RSA authentication is used.

mgmt-auth

Configures the authentication method for the management user. You can specify a username and password only, public key only, or both username and password and public key.

Username for SSH login.

IPv4 or IPv6 address of the remote machine.

Example

The following command configures SSH access using public key authentication only:

(host) [mynode] (config) #ssh mgmt-auth public-key

mgmt-user ssh-pubkey client-cert ssh-pubkey cli-admin root

The following command enablesAES-CBCand disablesAES-CTRon the SSH server:

(host) [md] (config) #ssh disable-ciphers aes-ctr

The following command enables both the cipher encryptions on the SSH server:

(host) [md] (config) #no ssh disable-ciphers

The following command disablesHMAC-SHA1-96on the SSH server:

(host) [md] (config) #ssh disable-mac hmac-sha1-96

The following command disablesHMAC-SHA1andHMAC-SHA1-96on the SSH server:

(host) [md] (config) #ssh disable-mac hmac-sha1 hmac-sha1-96

The following command disables alldhkey exchange algorithms on the SSH server:

(host) [md] (config) #ssh disable-kex dh

Related Commands

Command

Description

show ssh

显示了SSH配置细节。

Command History

Release

Modification

ArubaOS8.10.0.0

Command modified to allow disabling key exchange algorithms. The key exchange algorithms can be disabled using thedisable-kexparameter.

ArubaOS8.7.0.0

Command modified to introduce SHA-2 authentication. Thehmac-sha1andhmac-sha1-96parameters can be disabled using thedisable-macparameter.

ArubaOS8.3.0.0

The following parameters are introduced to configure cipher and MAC authentication:

  • disable-ciphers
  • disable-mac

ArubaOS8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode onMobility Conductor.