On the Connections and Encryption page, you can create connection rules that restrict connections based on various selectors. You can also set the ciphers, MACs and KEXs used for the connections.
The selectors define which connections a connection rule applies to. The order of the rules is important. The first matching rule is used and the remaining rules are ignored.
If no selectors (or only empty selectors) are specified in a connection rule, the rule matches all connections. In the simple GUI mode, there is only one connection rule that is used for all connections.
If a user does not match any selectors in the connection rules, the connection is allowed with server default connection settings.
To add a new connection rule, click the Add button below the tree view. Each rule will have a sub-page with two tabs. On the Selectors tab, you can edit the selectors of the rule and define whether the connection is allowed or denied, and on the Parameters tab, you can configure the settings for the rule.
To edit a connection rule, select a connection item on the tree view. For more information, see Editing Connection Rules.
To change the order of the rules, select a connection item on the tree view and use the Up and Down buttons. The rules are read in order, and the first matching connection rule on the list is used.
To delete a connection rule, select a connection item and click Delete.
Each item under Connections and Encryption has two tabs, Selectors and Parameters. The Selectors tab is shown only in the advanced GUI mode.
On the Selectors tab, you can configure the selectors that apply to the connection rule and define whether the connection is allowed or denied.
Enter a name for the connection rule.
The selector list view shows the selectors that apply to the rule.
To add a new selector to the rule, click Add Selector. The new selector will contain automatically at least one attribute. The Add Selector dialog box opens allowing you to specify the selector type. For more information on the different selector attributes, see Editing Selectors.
Only the Interface and IP selector attributes are relevant for connection rules. For example, the user name is not yet available when the connection rules are processed. For more information, see Using Selectors in Configuration File.
To remove a selector, choose the selector from the list view on the Selectors tab and click Delete Selector. This will delete the selector and all its attributes.
To add a new attribute to a selector, choose a selector from the list and click Add Attribute. The Add Selector dialog box opens. For more information on the different selector attributes, see Editing Selectors.
To edit a selector attribute, choose the attribute from the list and click Edit Attribute. The relevant selector dialog box opens. For more information on the different selector attributes, see Editing Selectors .
To remove a selector attribute, choose the attribute from the list and click Delete Attribute. Note that a selector with no attributes will match everything.
Select whether the connection is allowed or denied.
If you select to deny the connection, the Parameters tab is disabled.
On the Parameters tab, you can configure the allowed ciphers, MACs, host key algorithms and KEXs for the connection.
Select this check box to send keep alive messages to the other side. If they are sent, a broken connection or crash of one of the machines will be properly noticed. This also means that connections will die if the route is down temporarily.
Specify the number of Seconds or transferred Bytes after which the key exchange is done again.
If a value for both Seconds and Bytes is specified, rekeying is done whenever one of the values is reached, after which the counters are reset.
The defaults are 3600
seconds (1 hour) and
1000000000
bytes (~1 GB). The value 0
(zero) turns
rekey requests off. This does not prevent the client from requesting
rekeys.
Under Encryption, select the Ciphers, MACs, Host key algorithms and KEXs allowed for the connection from the list. To deselect an already selected algorithm, click on it again.
The default ciphers, MACs, host key algorithms and KEXs are marked in the list initially with a gray background.
Tectia proprietary algorithms are marked with (Tectia) and are
operable with Tectia products only. They correspond to the algorithms that end with
@ssh.com
in the server configuration file.
The following ciphers are supported (the ones allowed by default are written in bold):
AES-128-CBC
AES-128-CTR
AES-192-CBC
AES-192-CTR
AES-256-CBC
AES-256-CTR
3DES
CryptiCore (Tectia)
SEED
Arcfour
Blowfish
Twofish
Twofish-128
Twofish-192
Twofish-256
AEAD_AES_128_GCM
AEAD_AES_256_GCM
aes128-gcm (OpenSSH)
aes256-gcm (OpenSSH)
The ciphers that can operate in the FIPS mode are 3DES and both the CBC-mode and CTR-mode AES-128, AES-192, and AES-256.
The following MACs are supported (the ones allowed by default are written in bold):
CryptiCore (Tectia)
HMAC-SHA1
HMAC-SHA1-96
HMAC-MD5
HMAC-MD5-96
HMAC-SHA2-256
HMAC-SHA256-2 (Tectia)
HMAC-SHA224 (Tectia)
HMAC-SHA256 (Tectia/Old)
HMAC-SHA384 (Tectia)
HMAC-SHA2-512
HMAC-SHA512 (Tectia)
HMAC-SHA1-ETM (OpenSSH)
HMAC-SHA1-96-ETM (OpenSSH)
HMAC-SHA2-256-ETM (OpenSSH)
HMAC-SHA2-512-ETM (OpenSSH)
HMAC-MD5-ETM (OpenSSH)
HMAC-MD5-96-ETM (OpenSSH)
All the HMAC-SHA (both HMAC-SHA1 and HMAC-SHA2) algorithm variants listed above can operate in the FIPS mode.
The following host key algorithms are supported (the ones allowed by default are written in bold):
rsa-sha2-256
rsa-sha2-512
ssh-dss
ssh-rsa
ssh-dss-cert-v01 (OpenSSH)
ssh-rsa-cert-v01 (OpenSSH)
ssh-dss-sha224 (Tectia)
ssh-dss-sha256 (Tectia)
ssh-dss-sha384 (Tectia)
ssh-dss-sha512 (Tectia)
ssh-rsa-sha224 (Tectia)
ssh-rsa-sha256 (Tectia)
ssh-rsa-sha384 (Tectia)
ssh-rsa-sha512 (Tectia)
rsa-sha2-256-cert-v01 (OpenSSH)
rsa-sha2-512-cert-v01 (OpenSSH)
x509v3-ssh-dss
x509v3-ssh-rsa
x509v3-ssh-rsa2048-sha256
x509v3-sign-dss
x509v3-sign-rsa
x509v3-sign-dss-sha224 (Tectia)
x509v3-sign-dss-sha256 (Tectia)
x509v3-sign-dss-sha384 (Tectia)
x509v3-sign-dss-sha512 (Tectia)
x509v3-sign-rsa-sha224 (Tectia)
x509v3-sign-rsa-sha256 (Tectia)
x509v3-sign-rsa-sha384 (Tectia)
x509v3-sign-rsa-sha512 (Tectia)
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ecdsa-sha2-nistp256-cert-v01 (OpenSSH)
ecdsa-sha2-nistp384-cert-v01 (OpenSSH)
ecdsa-sha2-nistp521-cert-v01 (OpenSSH)
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp521
ssh-ed25519
ssh-ed25519-cert-v01 (OpenSSH)
The following KEX methods are supported (the ones allowed by default are written in bold):
DH-Group1-SHA1
DH-Group14-SHA1
DH-Group14-SHA224 (Tectia)
DH-Group14-SHA256 (Tectia)
DH-Group14-SHA256
DH-Group15-SHA256 (Tectia)
DH-Group15-SHA384 (Tectia)
DH-Group16-SHA384 (Tectia)
DH-Group16-SHA512 (Tectia)
DH-Group16-SHA512
DH-Group18-SHA512 (Tectia)
DH-Group18-SHA512
DH-GEX-SHA256
DH-GEX-SHA1
DH-GEX-SHA224 (Tectia)
DH-GEX-SHA384 (Tectia)
DH-GEX-SHA512 (Tectia)
ECDH-NISTP256
ECDH-NISTP384
ECDH-NISTP521
Curve25519-sha256 (OpenSSH)
Curve25519-sha256
All the supported KEXs can operate in the FIPS mode on Windows. For more information on the FIPS-Certified Cryptographic Library, see Cryptographic library.