Custom SSH Cipher Suites
Overview
You can configure a custom cipher suite to assign to a site. The cipher is used for SSH client and server operations for that site, including SSH proxy, SSH terminal, discovery, remote password change, heartbeat and SSH scripts. Each cipher in the suite is prioritized by order used. Each one is tried before moving on to the next lower one if unsuccessful.
Configuring Custom SSH Cipher Suites
To configure a custom SSH cipher suite:
-
Navigate to Admin > Custom SSH Cipher Suite. The Custom SSH Cipher Suite page appears.
-
The default Details tab provides a brief summary of the cipher suite. You can edit the name and description for the suite, as well as view the currently enabled algorithms.
-
Use the Encryption Algorithms, Key Exchange Algorithms, MAC Algorithms, and Public Key Algorithms tabs to enable, disable, and prioritize a list of each type of algorithm for the cipher suite.
You can also check FIPS compliance for each of the algorithms. The types include encryption, key exchange, MAC, and public key algorithms.
-
To add algorithms to the list, click one of the algorithm tabs.
-
Select the Edit button on the top right of the algorithm page. The tab becomes editable.
-
Select the algorithms that you would like to add or uncheck to remove. When done, click Save.
-
To prioritize the algorithms, click Reorder ciphers on the algorithm page.
-
Drag the algorithms in the desired order. When done, click Save Field Order.
-
Select the Audit tab to display a list of actions taken with the cipher suite.
Using Custom SSH Cipher Suites
To enable the feature for a distributed engine:
-
Navigate to Admin > Distributed Engine. The Distributed Engine page appears.
-
Click the desired site name in the list. Its configuration page appears.
-
In the Advanced site configuration section click Edit.
If you cannot edit the page, you may need the "administer distributed engines" permission. -
For the SSH Cipher Suite option, select Use Custom Cipher Suite.
-
When done, click Save.
