Configure SSH Cipher Suites

Options in the Cryptography dialog box provide the ability to configure a subset of ciphers used SSH connections for accessing devices.
HID_ConfigCryptography
capam342
2
The Internet Engineering Task Force (IETF) governs the SSH protocol [RFC 4251] consisting of three primary components: the Transport Layer Protocol [RFC 4253], the User Authentication Protocol [RFC 4252], and the Connection Protocol [RFC 4254]. Privileged Access Manager Secure Shell (SSH) default encryption follows NIST SP 800-131 recommendations for algorithms and NIST SP 800-57pt3 guidance for SSH implementation.
Default algorithms shown in PAM are in priority order, balancing speed with security. However, to facilitate legacy target system management, not yet updated to secure encryption algorithms, the Cryptography dialog box provides options to configure older, vulnerable KEX/Ciphers/HMAC algorithms. The risk of downgrading PAM SSH encryption should be communicated to appropriate IT administrators in your organization. This risk is due to the impact on potential breach and non-compliance to standards and legislation such as PCI DSS, FISMA, etc.
For FIPs mode PAM, the selection of algorithms is not automatically restricted for SSH. To maintain compliance, continue to use the default algorithms.
Make changes in the Cryptography dialog box on an established Cluster. Changes may take one minute or longer to replicate, depending on network conditions. Making changes to a standalone node, then adding a new cluster member, does not replicate the changes.
When a policy is configured to use the sftpsftpemb service, it needs one of the following Hash algorithms to be enabled in SSH Proxy: hmac-sha1,hmac-sha1-96,hmac-md5
To configure SSH Cipher Suites, follow these steps:
  1. Go to
    Configuration
    ,
    Security
    ,
    Cryptography
    .
  2. Determine the security algorithms that are appropriate for your system. By default, the
    Default
    option is selected. The default algorithms in each category (Cipher, Hash, Key Exchange, Compression, and Server Host Key) are considered to provide appropriate security for SSH connections. Depending on the devices you use, you may need to define other algorithms that are not as secure.
  3. To select algorithms other than the defaults, deselect the
    Default
    option, and select the eye icon to the right of each text box. A window appears showing all the supported algorithms for each category. You can copy and paste the appropriate algorithms into the text box.
  4. Select
    Update
    when you have completed your selection.