Supported SSH Algorithms
This guide describes the default and supported SSH algorithms in PrivX.
All the algorithms, except host-key algorithms, can be configured on PrivX Servers in /opt/privx/etc/ssh-algorithms.toml
.
Algorithms can be enabled per target FQDN pattern, CIDR, or IP address.
Some algorithms are not enabled by default because they aren't considered safe anymore. Consider first upgrading your target host to support the default algorithms. Only enable legacy algorithms if target host upgrade is not an option.
KEX Algorithms
Default KEX algorithms:
- mlkem1024nistp384-sha384
- mlkem768nistp256-sha256
- mlkem768x25519-sha256
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512
- sntrup761x25519-sha512@openssh.com
- curve25519-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp521
- ecdh-sha2-nistp384
- ecdh-sha2-nistp256
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group14-sha256
All supported KEX algorithms:
- mlkem1024nistp384-sha384
- mlkem768nistp256-sha256
- mlkem768x25519-sha256
- ecdh-nistp521-kyber1024-sha512@ssh.com
- curve25519-frodokem1344-sha512@ssh.com
- sntrup761x25519-sha512
- sntrup761x25519-sha512@openssh.com
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-*
key-exchange algorithms are only supported when PrivX connects to targets, not when clients are connecting to PrivX Bastion.
Host-Key Algorithms
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
- ssh-rsa-cert-v01@openssh.com
- ssh-dss-cert-v01@openssh.com
- ecdsa-sha2-nistp256-cert-v01@openssh.com
- ecdsa-sha2-nistp384-cert-v01@openssh.com
- ecdsa-sha2-nistp521-cert-v01@openssh.com
- ssh-ed25519-cert-v01@openssh.com
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- rsa-sha2-256
- rsa-sha2-512
- ssh-rsa
- ssh-dss
- ssh-ed25519
Ciphers
Default ciphers:
- aes256-gcm@openssh.com
- aes256-ctr
- aes192-ctr
- aes128-gcm@openssh.com
- aes128-ctr
All supported ciphers:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
- chacha20-poly1305@openssh.com
- arcfour256
- arcfour128
- arcfour
- aes128-cbc
- 3des-cbc
MACs
Default MACs:
- hmac-sha2-512
- hmac-sha2-256
- hmac-sha1
- hmac-sha1-96
All supported MACs:
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-256
- hmac-sha2-512
- hmac-sha1
- hmac-sha1-96
SFTP protocols
Default version:
- 6
Supported versions:
- 3
- 4
- 5
- 6
If your target host uses an older unsupported algorithm, and it is not possible to add an algorithm override configuration, a native SSH client via PrivX SSH Agent can be used.