Modifying the SSH server profile

Modify the SSH server profile to define the cipher suites to negotiate SSH connections when the SSH server.

About this task

Each domain has a single SSH server profile.
  • In the default domain, the SSH service is the only service that uses the SSH server profile. Never configure anything but management services in the default domain.
  • In an application domain, all SFTP server handlers in the domain use the SSH server profile.
You can specify a list of SSH cipher suites, key exchange (KEX) algorithms, and message authentication code (MAC) algorithms in preferred order. The ciphers, KEX algorithms, and MAC algorithms are used to negotiate SSH connections with the remote SSH server. When you specify no ciphers or algorithms, the default cipher suites are used. For more information, see the documentation for the following commands.

The order of algorithms is important. The client sends its list of algorithms to the server. The server compares this list to its own list in order of preference. The first algorithm in the client list is chosen when supported by the server. The connection fails when no algorithm from the client matches an algorithm in the server list.

You can configure a banner message to send to users during SSH preauthentication phase, which includes an SFTP command login. The message is displayed to the user before the login prompt by enabling the setting of including an SSH preauthentication message and specifying the message. When you define a custom CLI pre-login message, the SSH preauthentication message is displayed before the CLI prelogin message. The following rules apply.
  • When the setting is enabled with no message specified, the setting is disabled again.
  • When the message is longer than the maximum length of 4096 characters, the message is truncated to 4096 characters.

Procedure

  1. In the search field, enter ssh.
  2. From the search results, click SSH server profile.
  3. Set the administrative state of the configuration.
  4. In the Comments field, enter a brief, descriptive summary for the configuration.
  5. Optional: From the Ciphers list, modify the list of ciphers in order of preference.
  6. Optional: From the Key exchange algorithms list, modify the list of KEX algorithms in order of preference.
  7. Optional: From the Message authentication codes list, modify the list of MAC algorithms in order of preference.
  8. Include an SSH preauthentication message.
    1. Set the property to yes.
    2. Enter the text for the preauthentication message.
  9. Click Apply to save changes to the running configuration.
  10. Click Save to save changes to the persisted configuration.