| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
Secure Shell in the Enterprise
Secure Shell and the OpenSSH Project
Configuring Secure Shell (Tasks)
Configuring Secure Shell (Task Map)
How to Set Up Host-Based Authentication for Secure Shell
How to Configure Port Forwarding in Secure Shell
How to Create User and Host Exceptions to Secure Shell Defaults
How to Create an Isolated Directory for sftp Files
How to Generate a Public/Private Key Pair for Use With Secure Shell
How to Change the Passphrase for a Secure Shell Private Key
How to Log In to a Remote Host With Secure Shell
How to Reduce Password Prompts in Secure Shell
How to Remotely Administer ZFS With Secure Shell
How to Use Port Forwarding in Secure Shell
How to Copy Files With Secure Shell
How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
Oracle Solaris provides a FIPS-140 option for the server side and the client side. FIPS mode, where Secure Shell uses the FIPS-140 mode of OpenSSL, is not the default. You can invoke FIPS mode on the command line, as in ssh -o "UseFIPS140 yes" remote-host. As an alternative, you can set a keyword in the configuration files.
Briefly, the implementation consists of the following:
The following FIPS-approved ciphers are available on the server and client side: aes128-cbc, aes192-cbc, and aes256-cbc.
3des-cbc is available by default on the client side, but it is not in the server side cipher list because of potential security risks.
The following FIPS-approved Message Authentication Codes (MAC) are available:
hmac-sha1, hmac-sha1-96
hmac-sha2-256, hmac-sha2-256-96
hmac-sha2-512, hmac-sha2-512-96
Four server-client configurations are supported:
No FIPS mode on either client or server side
FIPS mode on both the client and server side
FIPS mode on the server side, but no FIPS on client side
No FIPS mode on the server side, but FIPS mode on the client side
The ssh-keygen command has an option to generate the user's private key in the PKCS #8 format that Secure Shell clients in FIPS mode require. For more information, see the ssh-keygen(1) man page.
For more information about FIPS operations in Secure Shell, see the sshd(1M), sshd_config(4), ssh(1), and ssh_config(4) man pages.
When you use a Sun Crypto Accelerator 6000 card for Secure Shell operations, Secure Shell runs with FIPS-140 support at Level 3. Level 3 hardware is certified to resist physical tampering, use identity-based authentication, and isolate the interfaces that handle critical security parameters from the hardware's other interfaces.
|