SSH access to the UTM can be hardened in three fixed security levels and one user-defined security level. Menu → Authentication →SSH Settings
╭╴ Settings ╶╮
Default settings of the UTM, root login is possible if a corresponding user has been created.
Longer host keys, no potentially insecure hash algorithms, no root login even if a corresponding user has been created.
Extremely limited list of hash algorithms, ciphers and key exchange algorithms, no root login even if a corresponding user has been created.
The user defines his list of hash algorithms, ciphers and key exchange algorithms, root login activatable
Allow pending connections:
The number of simultaneously established connections that have not yet been authenticated.
Initial drop chance:
Percentage of connections that are discarded over the allowed unauthenticated ones.
Maximum pending connections:
Set of simultaneous connections above which all unauthenticated connections are discarded.
Login grace time:
Time in seconds available for authentication
Custom security settings
╭╴ Custom security settings ╶╮
List of approved Keyed-Hash Message Authentication Code hash algorithms.
Very high firstname.lastname@example.org
Defines which encryptions are permitted for SSH.
Very high email@example.com
Very high firstname.lastname@example.org
Allow root access
Only possible with Medium or Custom
Root with user authentication
Note There is no root access via user authentication in the high and very high mode. Here, only authentication via Public Key is possible.
If, nevertheless, root access with user authentication in the security levels high and very high is desired, the lists from these modes can be copied into the User Defined mode and root activated.
Root access via public key
The following steps are necessary to carry out authentication without a password via an SSH console using ssh-public-key:
Creating an SSH-RSA Key Pair
This can be generated on a Windows system with an additional programme such as "puttygen".
Generate Key Pair
On a Linux/Unix system, the tool "ssh-keygen" is available, which is executed with the option ssh-keygen -t rsa .
Location of the key
The public part of the key can be saved after creation with "puttygen" with Save public key and Save private key , by default in the document directory of the Windows user.
For Linux/Unix, these are located in the user directory under /home/user/.ssh/
Format public key
The Puttygen file must still be adapted in this regard:
The public-key must have the following format:
Since there is a space between "ssh-rsa" and the key, the entire content must be enclosed in inverted commas.
Furthermore, care must be taken that the line breaks of the public key are removed.
In addition, the optional entry of the user should also be added in the form "User@Computer". It should look like this:
The variable SECMODE indicates which SSH configuration is currently active.
There are four configurations that can be assigned to this variable:
If the variable is assigned to a different configuration in the CLI, then this instruction must be activated by restarting the SSHD application.
extc value set application "sshd" variable SECMODE value 1
appmgmt restart application "sshd"
Note: Safety precautions during configuration tests
If it is planned to manipulate new encryptions or the SSH settings via the web interface or the CLI, an SSH connection to the UTM should be established before the changeover. Existing SSH connections are not interrupted by changing the encryption or SSH settings.