SecureTransport 5.4 Administrator Guide Save PDF Selected topic Selected topic and subtopics All content Add an SSH server To add an SSH server, go to the extended Server Control page and on the SSH Servers pane, click Actions > Add Server. A new modal box with different SSH server settings pops up. The following table presents all parameters and expected values associated with your new SSH server. Field Description Server Name Enter a unique name of your server. Enable SCP Select to enable SCP (Secure Copy) support with transfers using your current SSH server. Enable SFTP Select to enable SFTP transfers with using your current SSH server. Enable FIPS Select to enable FIPS transfer mode for SSH connections. By selecting this option, the following fields become editable: FIPS Exchange Algorithms FIPS Public Keys FIPS MAC Algorithms Enabled FIPS Ciphers Port Enter the port number of your SSH server. Host Enter the host address of your SSH server. SSH Key Alias Select an SSH Key Alias from the drop-down list, for example, admind. Client Certificate This drop-down list presents the options to define support for certificate use for SSH authentication. Possible values are: Disabled – no certificate authentication is required Required – the client must authenticate using a certificate Optional – the client can authenticate either using a certificate or a password Client Password When Client Certificate is set to Required, you can also specify the authentication methods that the SSH server offers to the SSH client: Default – the server sends the authentication methods set in Authentication > Login Settings > End-user login options Disabled – the server sends only "publickey" Key Exchange Algorithms Enter the Diffie-Hellman exchange hashing algorithms, for example: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256. FIPS Exchange Algorithms Specify the KEX algorithms to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant KEX algorithms supported by SecureTransport. For the complete list, see FIPS-compliant key exchange algorithms. Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed KEX algorithms in FIPS mode is determined by the Ssh.FIPS.KeyExchangeAlgorithms configuration option. Minimum key size for Diffie-Hellman exchange algorithms group: Enter the minimum exchange key size in bits: 128 bit is the minimum (least secure) and 4096 is the maximum (most secure). Public Keys Enter the certificate type for your public keys and signature algorithm in the following format:ssh-rsa,ssh-dss,x509v3-sign-rsa,x509v3-sign-rsa-sha1 FIPS Public Keys Specify the public key algorithms to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant public keys supported by SecureTransport. For the complete list, see FIPS-compliant public key algorithms Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed public key algorithms in FIPS mode is determined by the Ssh.FIPS.PublicKeys configuration option. MAC Algorithms Enter the MAC algorithm that warrants the integrity of the transfer using your current SSH server. FIPS MAC Algorithms Specify the MAC algorithms to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant MACs supported by SecureTransport. For the complete list, see FIPS-compliant MAC algorithms Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed MAC algorithms in FIPS mode is determined by the Ssh.FIPS.AllowedMacs configuration option. Enabled Ciphers Enter the ciphers to be used with your SSH server. For more information on cipher suites, refer to the SecureTransport Cipher suites topic, part of the SecureTransport 5.4 Security guide. Enabled FIPS Ciphers Specify the ciphers to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant ciphers supported by SecureTransport. For the complete list, see FIPS-compliant ciphers . Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed public key algorithms in FIPS mode is determined by the Ssh.FIPS.Ciphers configuration option. Once you are finished entering the parameters of your SSH server, click Save to create it; or Cancel to discard all changes and return to the Server Control page. Start and stop a server You can easily start and stop your SSH server. Start your server by clicking the "play" icon: A box with a success message pops up on your screen and your server status changes to Running. To stop your server, click the "stop" icon. A box with a success message pops up on your screen and your server status changes to Stopped. You can only start the SSH daemon once the Ssh Default server is operating (enabled). Stopping the daemon will stop all underlying started servers. During daemon start, only the enabled servers will be started. In case of SSH, an "enabled server" means that you have at least selected either option: Enable Secure File Transfer Protocol (SFTP) or Enable Secure Copy (SCP). Edit SSH server settings You can change any of the SSH server property values. Note that you can change the server name only when the server is stopped. To update an SSH server, click the corresponding "gear" icon: A new modal box with the SSH settings pops up. Add your changes and click Save to apply your changes; or Cancel to discard them. Delete a SSH server Note You cannot delete or change the name of the "Ssh Default" server from the SecureTransport Administration Tool. You can only delete a server once it is stopped. You cannot delete a server in Running status. To delete a server, locate it on the Server Control page, make sure it is stopped and click the corresponding "trashcan" icon: Related Links
Add an SSH server To add an SSH server, go to the extended Server Control page and on the SSH Servers pane, click Actions > Add Server. A new modal box with different SSH server settings pops up. The following table presents all parameters and expected values associated with your new SSH server. Field Description Server Name Enter a unique name of your server. Enable SCP Select to enable SCP (Secure Copy) support with transfers using your current SSH server. Enable SFTP Select to enable SFTP transfers with using your current SSH server. Enable FIPS Select to enable FIPS transfer mode for SSH connections. By selecting this option, the following fields become editable: FIPS Exchange Algorithms FIPS Public Keys FIPS MAC Algorithms Enabled FIPS Ciphers Port Enter the port number of your SSH server. Host Enter the host address of your SSH server. SSH Key Alias Select an SSH Key Alias from the drop-down list, for example, admind. Client Certificate This drop-down list presents the options to define support for certificate use for SSH authentication. Possible values are: Disabled – no certificate authentication is required Required – the client must authenticate using a certificate Optional – the client can authenticate either using a certificate or a password Client Password When Client Certificate is set to Required, you can also specify the authentication methods that the SSH server offers to the SSH client: Default – the server sends the authentication methods set in Authentication > Login Settings > End-user login options Disabled – the server sends only "publickey" Key Exchange Algorithms Enter the Diffie-Hellman exchange hashing algorithms, for example: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256. FIPS Exchange Algorithms Specify the KEX algorithms to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant KEX algorithms supported by SecureTransport. For the complete list, see FIPS-compliant key exchange algorithms. Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed KEX algorithms in FIPS mode is determined by the Ssh.FIPS.KeyExchangeAlgorithms configuration option. Minimum key size for Diffie-Hellman exchange algorithms group: Enter the minimum exchange key size in bits: 128 bit is the minimum (least secure) and 4096 is the maximum (most secure). Public Keys Enter the certificate type for your public keys and signature algorithm in the following format:ssh-rsa,ssh-dss,x509v3-sign-rsa,x509v3-sign-rsa-sha1 FIPS Public Keys Specify the public key algorithms to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant public keys supported by SecureTransport. For the complete list, see FIPS-compliant public key algorithms Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed public key algorithms in FIPS mode is determined by the Ssh.FIPS.PublicKeys configuration option. MAC Algorithms Enter the MAC algorithm that warrants the integrity of the transfer using your current SSH server. FIPS MAC Algorithms Specify the MAC algorithms to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant MACs supported by SecureTransport. For the complete list, see FIPS-compliant MAC algorithms Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed MAC algorithms in FIPS mode is determined by the Ssh.FIPS.AllowedMacs configuration option. Enabled Ciphers Enter the ciphers to be used with your SSH server. For more information on cipher suites, refer to the SecureTransport Cipher suites topic, part of the SecureTransport 5.4 Security guide. Enabled FIPS Ciphers Specify the ciphers to be used with your SSH server in FIPS mode. By default, this field is populated with all FIPS compliant ciphers supported by SecureTransport. For the complete list, see FIPS-compliant ciphers . Click the "down arrow" icon on the right to access a drop-down menu with options to select and deselect all items and reset value to the previously saved selection. For the default SSH server, the list of allowed public key algorithms in FIPS mode is determined by the Ssh.FIPS.Ciphers configuration option. Once you are finished entering the parameters of your SSH server, click Save to create it; or Cancel to discard all changes and return to the Server Control page. Start and stop a server You can easily start and stop your SSH server. Start your server by clicking the "play" icon: A box with a success message pops up on your screen and your server status changes to Running. To stop your server, click the "stop" icon. A box with a success message pops up on your screen and your server status changes to Stopped. You can only start the SSH daemon once the Ssh Default server is operating (enabled). Stopping the daemon will stop all underlying started servers. During daemon start, only the enabled servers will be started. In case of SSH, an "enabled server" means that you have at least selected either option: Enable Secure File Transfer Protocol (SFTP) or Enable Secure Copy (SCP). Edit SSH server settings You can change any of the SSH server property values. Note that you can change the server name only when the server is stopped. To update an SSH server, click the corresponding "gear" icon: A new modal box with the SSH settings pops up. Add your changes and click Save to apply your changes; or Cancel to discard them. Delete a SSH server Note You cannot delete or change the name of the "Ssh Default" server from the SecureTransport Administration Tool. You can only delete a server once it is stopped. You cannot delete a server in Running status. To delete a server, locate it on the Server Control page, make sure it is stopped and click the corresponding "trashcan" icon: