SSH
Home Prev Up Next  

Host Keys

To enable elliptic curve host keys for Tectia Client, add the ECDSA host-key algorithms (remove any algorithms you do not wish to allow) within the <hostkey-algorithms> element below any <kexs> element of your ssh-broker-config.xml. If the <kexs> section does not exist, you can place the <hostkey-algorithms> element above the <authentication-methods> element.

...
</kexs>

<hostkey-algorithms>
  <hostkey-algorithm name="ecdsa-sha2-nistp256" />
  <hostkey-algorithm name="ecdsa-sha2-nistp384" />
  <hostkey-algorithm name="ecdsa-sha2-nistp521" />
  <hostkey-algorithm name="ssh-dss" />
  <hostkey-algorithm name="ssh-rsa" />
  <hostkey-algorithm name="ssh-dss-sha256@ssh.com" />
  <hostkey-algorithm name="ssh-rsa-sha256@ssh.com" />
  <hostkey-algorithm name="x509v3-sign-dss" />
  <hostkey-algorithm name="x509v3-sign-rsa" />
  <hostkey-algorithm name="x509v3-sign-dss-sha256@ssh.com" />
  <hostkey-algorithm name="x509v3-sign-rsa-sha256@ssh.com" />
</hostkey-algorithms>

<authentication-methods>
...
[Note]Note

To enable ECDSA host keys for X.509, add also the following hostkey-algorithm names: x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521.

A test connection will look like this (the –vv option was used for basic debug and some noise was removed from the output):

$ sshg3 -vv root@192.51.100.1 
2015-08-24 15:40:28: 6200 Broker_tcp_connect, Dst: 192.51.100.1, Dst Port: 22,  
Src Port: 49189, Local username: johnd 
2015-08-24 15:40:28: 1002 Algorithm_negotiation_success, 
"kex_algorithm=diffie-hellman-group1-sha1, hostkey_algorithm=ecdsa-sha2-nistp256, 
cipher=crypticore128@ ssh.com/crypticore128@ssh.com, 
mac=crypticore-mac@ssh.com/crypticore-mac@ssh.com , compression=none/none", 
Session-Id: 31 
2015-08-24 15:40:29: 6204 Broker_transport_connect, Dst: 192.51.100.1, 
Dst Port: 22, Remote username: root, Src Port: 49189, Local username: johnd,
Session-I d: 31 
2015-08-24 15:40:29: 1003 KEX_success, Algorithm: diffie-hellman-group1-sha1, 
Modulus: 1024 bits, Session-Id: 31, Protocol-session-Id: 
02A94DF2D6B4441C11E4E333E78E0C208728AE50
2015-08-24 15:40:29: 703 Auth_methods_available, Auth methods: 
gssapi-with-mic,password,publickey,keyboard-interactive, Session-Id: 31 
2015-08-24 15:40:29: 6303 Broker_userauth_method_failure, "publickey", 
Session-Id: 31 
 root@192.51.100.1's password:
… 
Server hostkey algorithm: ecdsa-sha2-nistp256 
Server identity: 256 bit ecdsa key
SHA-1: bd6a1d45f262db8095ee5e6a2eb1c3fac7111d00
xozek-palag-hysak-dykym-byhev-velik-piror-cibiz-pycec-culyb-bexox 
Authentication successful.
Last login: Mon Aug 24 2015 08:31:29 -0400 from 192.168.56.1
Home Prev Up Next  

Copyright 2015 SSH Communications Security Corporation
This software is protected by international copyright laws. All rights reserved.
Contact Information