Discuss this help topic in SecureBlackbox Forum

SSH: Configure public key algorithms

Within SSH infrastructure, public key cryptography is used for two different, independent purposes: to authenticate the server to the client and to negotiate a shared session key in secure way. Public key cryptography may also be used, and this is its third purpose, to authenticate the client to the server (yet, this one is optional). This article discusses the task of configuring public key algorithms for the purpose of server authentication. Have a look at the article about (Key exchange algorithms configuration) to find out more about key exchange algorithms and their configuration.

The public key algorithm used by the parties during their session negotiation process is chosen by both parties basing on the prioritized lists of algorithms they both support and the availability of the appropriate private key on the server. The second condition is fairly important - even if the server does support a particular public key algorithm (e.g. RSA), it must also have a keypair of the corresponding type (RSA in our example) to be able to technically perform the authentication. It is normal for a server to have several keypairs attached to it, to provide maximal compatibility with its clients, which might support different algorithms.

The set of algorithms which you want your SSH component to support can be adjusted via the PublicKeyAlgorithms property (as this is an indexed property, it might be emulated with getter and setter methods on certain platforms). Use the following syntax to enable a particular algorithm:


	server.set_PublicKeyAlgorithms(SSH_PK_RSA, true);


	server.PublicKeyAlgorithms[SSH_PK_RSA] := true;

For your convenience, there are also SSH_PK_FIRST and SSH_PK_LAST constants provided which you can use to enable or disable all algorithms in a loop:


	for (int i = SSH_PK_FIRST; i <= SSH_PK_LAST; i++) {
	      server.set_PublicKeyAlgorithms(i, false);

Additionally, you can prioritize public key algorithms, so that if the parties share several public key algorithms, the exact algorithm was chosen basing on the parties' preferences. For example, the client might prefer to use ECDSA to RSA, if both are supported. The algorithms can be prioritized via the PublicKeyAlgorithmPriorities property:


	server.set_PublicKeyAlgorithmPriorities(SSH_PK_RSA, 1);
	server.set_PublicKeyAlgorithmPriorities(SSH_PK_ECDSA_CURVE25519, 8);
	server.set_PublicKeyAlgorithmPriorities(SSH_PK_ECDSA_NIST_K571, 14);

The higher the priority of a particular algorithm is, the more preferred it is. By default, priorities of all algorithms are set to 0. Algorithm's priority value is ignored if the algorithm itself is not enabled.

Note, that you need to setup a keypair for each algorithm (RSA, DSS, ECDSA) that you enable.

How To articles about SSH server

Discuss this help topic in SecureBlackbox Forum