- Make sure SSHv1 is disabled (not enabled) by default
- Preferred Ciphers: ["[email protected]"], permitted Ciphers: ["aes256-ctr", "aes192-ctr"] with hmac auth macs below
- preferred Macs: ['[email protected]'], Permitted Mac: ['[email protected]']
- Preferred Kex: [ 'ecdh-sha2-nistp384'], Permitted Kex: [ 'ecdh-sha2-nistp521']
- SSH to Device using all combinations of preferred Ciphers, Macs, and Kex and make sure SSH session works
- SSH to Device using non-permitted Ciphers, Macs, and Kex and make sure SSH session fails to negotiate
Passing critera: Only preferred Ciphers/Mac/Kex should work without issues
SSH version 1 protocol is disabled by default at compile time since OpenSSH 7.0
Most systems are using OpenSSH versions above 7.0, after testing, protocol 1 can't be specified with these OpenSSH versions, both client and server. This makes it tricky to test the protocol via ssh connection.
On the other hand, protocol 1 has been widely disabled. In my opinion, we only need to check whether SSH protocol 1 is specially supported, and we can make a conclusion
Use ssh --version
on DUT to print help menu, and check if it has option '-1'
Use ssh -c {perfered/permitted cipher} admin@{dut_ip}
on test server to test if it connects successfully
Use ssh -c {cipher not allowed} admin@{dut_ip}
on test server to test if it connects failed
Use ssh -m {perfered/permitted MACs} admin@{dut_ip}
on test server to test if it connects successfully
Use ssh -m {MACs not allowed} admin@{dut_ip}
on test server to test if it connects failed
Use ssh -oKexAlgorithms={perfered/permitted Kex} admin@{dut_ip}
on test server to test if it connects successfully
Use ssh -oKexAlgorithms={Kex not allowed} admin@{dut_ip}
on test server to test if it connects failed