ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSH Key Size-NS5200

‎07-30-2018 03:49 PM

I am looking for info on changing the ssh key size on a NS52000 to 2048, or is this even possible.

Thanks

2 REPLIES 2
ScreenOS Firewalls (NOT SRX)

Re: SSH Key Size-NS5200

‎07-31-2018 06:25 AM

Hi r24481,

 

This is however partially possible, we have two key pairs for any SSH connection Host keys (firewall public and private key)User keys (client public and private key).

 

It is possible to use user keys with length 2048 bits, but the host keys are generated automatically by firewall and its length could not be changed.

 

The process that needs to be followed is as follows :- Binding a PKA key to administrator
To prepare for PKA, you must first perform the following tasks:

 

1. On the SSH client, generate a public and private key pair using a key generation program. (The key pair is either RSA for SSHv1 or DSA for SSHv2. See the SSH client application documentation for more information.)


NOTE: If you want to use PKA for automated logins, you must also load an agent on the SSH client to decrypt the private key component of the PKA public/private key pair and hold the decrypted version of the private key in memory.

 

2. Move the public key from the local SSH directory to a directory on your TFTP server, and launch the TFTP program.

 

3. To load the public key from the TFTP server to the device, enter one of the following CLI commands:
For SSHv1:
# exec ssh tftp pka-rsa user-name <name_str> file-name<name_str> ip-addr tftp_ip_addr
For SSHv2:
# exec ssh tftp pka-dsa user-name <name_str> file-name<name_str> ip-addr tftp_ip_addr

 

4. Bind the PKA key, a public key to the administrative account of the administrator that who processes the associated private key. The following CLI commands can be used to bind the PKA key to an administrators account:

# set ssh pka-dsa key pka-key
# set ssh pka-dsa user-name login-id key pka-key

 

The user-name option is only available to the root admin, so that only the root admin can bind to another admin. When you--as the root admin or as a read/write admin--enter the command without a username, the device binds the PKA certificate to your own admin account; that is, it binds the certificate to the admin who enters the command.

 

NOTE: The security device supports up to four PKA public keys per admin user.

 

Regards,

Rishi 

JTAC

 

ScreenOS Firewalls (NOT SRX)

Re: SSH Key Size-NS5200

‎08-02-2019 06:02 AM

Is there a way to verify the key size.  I have a SSG-550M and SSG-2000