Supported SSH Algorithms
KEX Algorithms
Default algorithms:
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512@openssh.com
- curve25519-sha256@libssh.org
- diffie-hellman-group14-sha1
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
Supported legacy algorithms:
- diffie-hellman-group1-sha1
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group-exchange-sha256
You can enable the supported legacy KEX algorithms per target fqdn pattern, CIDR or IP address by editing ssh-algorithms.toml.
Hostkey Algorithms
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- ssh-dsa
- ssh-dss-cert-v01@openssh.com
- ssh-rsa
- ssh-rsa-cert-v01@openssh.com
Ciphers
Default algorithms:
- aes128-ctr
- aes128-gcm@openssh.com
- aes192-ctr
- aes256-ctr
- chacha20-poly1305@openssh.com
Supported legacy algorithms:
- arcfour256
- arcfour128
- arcfour
- aes128-cbc
- 3des-cbc
You can enable the supported legacy cipher algorithms per target fqdn pattern, CIDR or IP address by editing ssh-algorithms.toml.
MACs
- hmac-sha1
- hmac-sha1-96
- hmac-sha2-256
- hmac-sha2-256-etm@openssh.com
SFTP protocols
Default version:
- 6
Supported versions:
- 3
- 4
- 5
- 6
You can set the SFTP version per PrivX Extender, target FQDN pattern, CIDR or IP address by editing ssh-algorithms.toml.
If your target host uses an older algorithm not included in the list above and it is not possible to add an algorithm override configuration, a native SSH client via PrivX SSH Agent can be used.
The supported legacy algorithms are not enabled by default because the algorithms can no longer be considered safe to use. Consider first upgrading your target host to support the default algorithms. Only enable legacy algorithms if target host upgrade is not an option.
Was this page helpful?