The ssh server hmac command configures an HMAC algorithm list for an SSH server.
The undo ssh server hmac command restores the default configuration.
By default, an SSH server supports all HMC algorithms.
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *
undo ssh server hmac
| Parameter | Description | Value |
|---|---|---|
md5 |
Adds the HMAC MD5 algorithm to an HMAC algorithm list. |
- |
md5_96 |
Adds the HMAC MD5_96 algorithm to an HMAC algorithm list. |
- |
sha1 |
Adds the HMAC SHA1 algorithm to an HMAC algorithm list. |
- |
sha1_96 |
Adds the HMAC SHA1_96 algorithm to an HMAC algorithm list. |
- |
sha2_256 |
Adds the HMAC SHA2_256 algorithm to an HMAC algorithm list. |
- |
sha2_256_96 |
Adds the HMAC SHA2_256_96 algorithm to an HMAC algorithm list. |
- |
Usage Scenario
An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh server hmac command to configure an HMAC algorithm list for the SSH server. After the list is configured, the server matches the HMAC algorithm list of a client against the local list after receiving a packet from the client and selects the first HMAC algorithm that matches the local list. If no HMAC algorithms in the list of the client match the local list, the negotiation fails.
Precautions
sha2_256 provides the highest security, followed by sha2_256_96, sha1, sha1_96, md5, and md5_96 in order.
Do not add sha2_256_96, sha1, sha1_96, md5, or md5_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms. The sha2_256 HMAC algorithm has been added to the list in the factory configuration file. By default, the device does not support the undo ssh server hmac command and
weak security algorithms such as sha2_256_96, sha1, sha1_96, md5, and md5_96 . To use the undo ssh server hmac command and these algorithms, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading.