Setting SSH2 algorithm preferences

The SSH protocol secures data in transit through the exchange of a secure secret which is then used to create keys which are used to encrypt and authenticate each message sent by the client or server. All algorithms are identified by a unique name and each side declares to the other which algorithms it supports during the key exchange process.

Each side declares their supported algorithms for each type of cryptographic component in a list ordered by preference. During key exchange the client list is iterated over from most preferred to least, and the first available algorithm supported by the server is selected. 

In practice this means that as long as the server supports the client's preferred algorithm for a given component, this will be selected and used.

Getting the Ssh2Context

In order to configure J2SSH Maverick with your algorithm preferences you need to get hold of the Ssh2Context instance of the SshConnector. The following code will achieve this:

SshConnector con = SshConnector.createInstance();

Ssh2Context ssh2Context = (Ssh2Context) con.getContext(SshConnector.SSH2);

 

Key Exchange

The secret is created during key exchange and a number of different types are supported by the protocol and our API. The following key exchange methods are currently supported by our API.

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256

Constants are provided on the Ssh2Context class for all algorithms outlined in this article and are used in these code examples.

To set your preferred key exchange use:

ssh2Context.setPreferredKeyExchange(Ssh2Context.KEX_DIFFIE_HELLMAN_GROUP_EXCHANGE_SHA256);

 

Public Keys

As part of the key exchange process the server presents its public key for validation. This allows the client to determine if it trusts the server.

The public key types supported by our API are:

ssh-dss
ssh-rsa
x509v3-sign-rsa
x509v3-sign-rsa-sha1
x509v3-sign-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521

 

To set the preferred public key use:

ssh2Context.setPreferredPublicKey(Ssh2Context.PUBLIC_KEY_ECDSA_521);

 

If you would like to set further preferences, for example the second or third preference on client->server stream use:

// Second preference
ssh2Context.setPublicKeyPreferredPosition(Ssh2Context.PUBLIC_KEY_ECDSA_384, 1);  // zero based index

// Third preference
ssh2Context.setPublicKeyPreferredPosition(Ssh2Context.PUBLIC_KEY_ECDSA_256, 2);

 

Ciphers

Once key exchange has completed and the secret established, a set of keys are created that are used to encrypt/decrypt the stream of data passing over the SSH connection. A separate key and algorithm preference is set for data travelling client->server and another for server->client data.

The ciphers currently supported by our API are:

3des-cbc
3des-ctr
blowfish-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
arcfour
arcfour256

 

To set your preferred ciphers use:

// For the client->server communication
ssh2Context.setPreferredCipherCS(Ssh2Context.CIPHER_AES128_CTR);

// For the server->client communication
ssh2Context.setPreferredCipherSC(Ssh2Context.CIPHER_AES128_CTR);

 

If you would like to set further preferences, for example the second or third preference on the client->server stream use:

// Second preference
ssh2Context.setCipherPreferredPositionCS(Ssh2Context.CIPHER_AES192_CTR, 1);  // zero based index

// Third preference
ssh2Context.setCipherPreferredPositionCS(
Ssh2Context.CIPHER_AES192_CTR, 2);

 

Message Authentication (HMAC)

Each individual message sent by the client/server is authenticated with a keyed-hash message authentication code. This ensures that the data received is the same as the data that was sent.

The HMAC's supported are:

hmac-md5
hmac-md5-96
hmac-sha1
hmac-sha1-96
hmac-sha256

 

To set your preferred HMACs use:

// For the client->server communication
ssh2Context.setPreferredMacCS(Ssh2Context.HMAC_SHA256);

// For the server->client communication
ssh2Context.setPreferredMacSC(Ssh2Context.HMAC_SHA256);

 

If you would like to set further preferences, for example the second or third preference on the client->server stream use:

// Second preference
ssh2Context.setMacPreferredPositionCS(Ssh2Context.HMAC_SHA1, 1);  // zero based index

// Third preference
ssh2Context.setMacPreferredPositionCS(Ssh2Context.HMAC_MD5, 2);

 

Compression

The SSH protocol optionally allows compression of the data payloads. To enable compression use the following method:

ssh2Context.enableCompression();

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.