Custom SSH Cipher Suites

Overview

You can configure a custom cipher suite to assign to a site. The cipher is used for SSH client and server operations for that site, including SSH proxy, SSH terminal, discovery, remote password change, heartbeat and SSH scripts. Each cipher in the suite is prioritized by order used. Each one is tried before moving on to the next lower one if unsuccessful.

This feature requires Secret Server 11.3.000001 or later.
Please see SSH Cipher Support for a listing of the default cipher suites.

Using Custom SSH Cipher Suites

To enable the feature for a distributed engine:

  1. Click the Administration button on the main menu. The Secrets Administration page appears.

  2. Click the Configuration > General > Distributed Engine link. The Distributed Engine page appears.

  3. Click the desired site in the table. Its configuration page appears.

  4. Edit the page, which exposes two selection buttons for SSH Cipher Suite.

    If you cannot edit the page, you may need the "administer distributed engines" permission.

  5. Click to enable Use Custom Cipher Suite for the selection button

Configuring Custom SSH Cipher Suites

Currently, you can only configure one custom SSH cipher suite.

To configure a custom SSH cipher suite:

  1. Click the Administration button on the main menu. The Secrets Administration page appears.

  2. Click the SSH Cipher Suites link in the SSH subsection of the Actions section. The Custom SSH Cipher Suite page appears. The default Details tab provides a brief summary of the cipher suite. You can edit the name and description for the cipher suite, as well as view the currently enabled algorithms.

  3. Click the Encryption Algorithms tab. Each algorithms tab enables, disables, and prioritizes a list of each type of algorithm for the cipher suite. You can also check FIPS compliance for each of the algorithms. The types include encryption, key exchange, MAC, and public key algorithms.

  4. To add algorithms to the list:

    1. Click the Add button on the top right of the table. The tab becomes editable. On the left is a table where your ordered algorithms appear. On the right are your available encryption algorithms.

    2. Move algorithms over to the enabled one of two ways:

      • Dragging and dropping from the list on the right to the table on the left.
      • Clicking individual algorithms and then clicking the Add button in the bottom right.

    3. Drag individual entries in the left table by clicking and holding the dots icon to change their priority. They are used from top to bottom.

    4. Hover the mouse pointer over any entry in the left table and click the trashcan icon to remove that entry.

    5. Click the X button in the top right to close the add list and apply your changes.

  5. Click the Audit tab to display a list of actions taken with the cipher suite.