Supported SSH Algorithms
This guide describes the default and supported SSH algorithms in PrivX.
All the algorithms, except host-key algorithms, can be configured on PrivX Servers in /opt/privx/etc/ssh-algorithms.toml
.
Algorithms can be enabled per target FQDN pattern, CIDR, or IP address.
Some algorithms are not enabled by default because they aren't considered safe anymore. Consider first upgrading your target host to support the default algorithms. Only enable legacy algorithms if target host upgrade is not an option.
KEX Algorithms
Default KEX algorithms:
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512@openssh.com
- curve25519-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group14-sha256
All supported KEX algorithms:
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512@openssh.com
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-*
key-exchange algorithms are only supported when PrivX connects to targets, not when clients are connecting to PrivX Bastion.
Host-Key Algorithms
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-ed25519-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-256
rsa-sha2-512
ssh-rsa
ssh-dss
ssh-ed25519
Ciphers
Default ciphers:
- aes256-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-gcm@openssh.com
- aes128-ctr
All supported ciphers:
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
arcfour256
arcfour128
arcfour
aes128-cbc
3des-cbc
MACs
Default MACs:
- hmac-sha2-512
- hmac-sha2-256
- hmac-sha1
- hmac-sha1-96
All supported MACs:
hmac-sha2-512-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1
hmac-sha1-96
SFTP protocols
Default version:
- 6
Supported versions:
- 3
- 4
- 5
- 6
If your target host uses an older unsupported algorithm, and it is not possible to add an algorithm override configuration, a native SSH client via PrivX SSH Agent can be used.