From 10dd3321f37175b0adb4c8a31371419d45bf94d0 Mon Sep 17 00:00:00 2001
From: Hans Nilsson To fully understand how to configure the algorithms, we must understand partly both how the ssh protocol
- works and how the OTP SSH app handles the corresponding items To fully understand how to configure the algorithms, it is essential to have a basic understanding of the SSH protocol
+ and how OTP SSH app handles the corresponding items The first subsection will give a short background about the ssh protocol while later sections describes
- the implementation and provides many examples The first subsection will give a short background of the SSH protocol while later sections describes
+ the implementation and provides some examples Symetric cipher algorithm used for the message encryption. This algorithm will use the key calculated
+ Symetric cipher algorithm used for the payload encryption. This algorithm will use the key calculated
in the kex phase (together with other info) to genereate the actual key used. Examples are
tripple-DES Due to this, it impossible to list in documentation what algorithms that are available in a certain installation. There is an important commands to list the actual algorithms and their ordering:
+ There is an important command to list the actual algorithms and their ordering:
To change this listing, there are two options which can be used in
- To change the algorithm list, there are two options which can be used in
+ Here follows a series of examples ranging from simple to more complex. The experimental function To forsee the effect of an option there is an experimental function The option A situation where it might be useful to add an algorithm is when one need to use a supported but disabled one.
+ An example is the The option To facilitate addition or removal of algorithms the option In next example, we also move the In this example, we in put the 'diffie-hellman-group1-sha1' first and also move the
+ Note that the appended algorithm is removed from its original place and then appended. Note that the appended algorithm is removed from its original place and then appended to the same list. In next example, we also move the Note that the appended algorithm first is removed from its original place and then appended. In this example, we use both options ( It is of course questionable why anyone would like to use the both options together, but it is possible
- if the needed. It is of course questionable why anyone would like to use the both these options together,
+ but it is possible if an unforeseen need should arise. Modifies the list of algorithms to use in the algorithm negotiation. The modifications are
- applied after the option The possible modifications are to:
0> ssh:default_algorithms().
@@ -143,8 +143,8 @@
{server2client,[none,'zlib@openssh.com',zlib]}]}]
-
6> ssh:chk_algos_opts(
[{modify_algorithms,
@@ -377,46 +379,15 @@
.....
]
-
-7> ssh:chk_algos_opts(
- [{modify_algorithms,
- [{prepend,
- [{kex, ['diffie-hellman-group1-sha1']}
- ]},
- {append,
- [{kex, ['ecdh-sha2-nistp521']}
- ]}
- ]
- }
- ]).
-[{kex,['diffie-hellman-group1-sha1','ecdh-sha2-nistp384',
- 'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256',
- 'diffie-hellman-group16-sha512',
- 'diffie-hellman-group18-sha512',
- 'diffie-hellman-group14-sha256',
- 'diffie-hellman-group14-sha1',
- 'diffie-hellman-group-exchange-sha1','ecdh-sha2-nistp521']},
- {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521',
- .....
-]
-
-
-8> ssh:chk_algos_opts(
+7> ssh:chk_algos_opts(
[{preferred_algorithms,
[{cipher,['aes128-ctr']},
{mac,['hmac-sha2-256']},
@@ -446,8 +417,8 @@
{server2client,[none]}]}]
-
The algoritm for modifications works like this:
Append or prepend supported but not enabled algorithm(s) to the list of - algorithms.
If the wanted algorithms already are in the list of algorithms, they will first - be removed and then appended or prepended. -
+Input is the
The head of the
The possible modifications are:
+Append or prepend supported but not enabled algorithm(s) to the list of
+ algorithms. If the wanted algorithms already are in
Remove (rm) one or more algorithms from
Repeat the modification step with the tail of
Remove (rm) one or more algorithms from the list of algorithms.
If an unsupported algorithm is in the list, it will be silently ignored
- +If an unsupported algorithm is in the
If there are more than one modify_algorithms options, the result is undefined.
Here is an example of this option:
{modify_algorithms,
--
cgit v1.2.3