R2511-HP MSR Router Series Security Command Reference(V5)
447
• md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.
• md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode.
• sha1: Specifies the HMAC algorithm hmac-sha1.
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange
in non-FIPS mode, and dh-group14 in FIPS mode.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
This keyword is not available in FIPS mode.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not
available in FIPS mode.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default algorithm is
aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default algorithm is
sha1-96.
Usage guidelines
When the client's authentication method is publickey, the client must get the local private key for digital
signature. In non-FIPS mode, because the publickey authentication uses either RSA or DSA algorithm, you
must specify the public key algorithm of the client (by using the identity-key keyword) to get the correct
local private key.
Examples
# Log in to Stelnet server 2000::1, using the following connection scheme:
• The preferred key exchange algorithm is dh-group1.
• The preferred server-to-client encryption algorithm is aes128.
• The preferred client-to-server HMAC algorithm is md5.
• The preferred server-to-client HMAC algorithm is sha1-96.
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128
prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96