Supported SSH Algorithms

This guide describes the default and supported SSH algorithms in PrivX. All the algorithms, except host-key algorithms, can be configured on PrivX Servers in /opt/privx/etc/ssh-algorithms.toml. Algorithms can be enabled per target FQDN pattern, CIDR, or IP address.

info

Some algorithms are not enabled by default because they aren't considered safe anymore. Consider first upgrading your target host to support the default algorithms. Only enable legacy algorithms if target host upgrade is not an option.

KEX Algorithms

Default KEX algorithms:

• mlkem1024nistp384-sha384
• mlkem768nistp256-sha256
• mlkem768x25519-sha256
• ecdh-nistp521-kyber1024-sha512@ssh.com
• curve25519-frodokem1344-sha512@ssh.com
• sntrup761x25519-sha512
• sntrup761x25519-sha512@openssh.com
• curve25519-sha256
• curve25519-sha256@libssh.org
• ecdh-sha2-nistp521
• ecdh-sha2-nistp384
• ecdh-sha2-nistp256
• diffie-hellman-group-exchange-sha256
• diffie-hellman-group16-sha512
• diffie-hellman-group14-sha256

All supported KEX algorithms:

• mlkem1024nistp384-sha384
• mlkem768nistp256-sha256
• mlkem768x25519-sha256
• ecdh-nistp521-kyber1024-sha512@ssh.com
• curve25519-frodokem1344-sha512@ssh.com
• sntrup761x25519-sha512
• sntrup761x25519-sha512@openssh.com
• diffie-hellman-group1-sha1
• diffie-hellman-group14-sha1
• diffie-hellman-group14-sha256
• diffie-hellman-group16-sha512
• ecdh-sha2-nistp256
• ecdh-sha2-nistp384
• ecdh-sha2-nistp521
• curve25519-sha256
• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha1
• diffie-hellman-group-exchange-sha256

info

diffie-hellman-group-exchange-* key-exchange algorithms are only supported when PrivX connects to targets, not when clients are connecting to PrivX Bastion.

Host-Key Algorithms

• rsa-sha2-256-cert-v01@openssh.com
• rsa-sha2-512-cert-v01@openssh.com
• ssh-rsa-cert-v01@openssh.com
• ssh-dss-cert-v01@openssh.com
• ecdsa-sha2-nistp256-cert-v01@openssh.com
• ecdsa-sha2-nistp384-cert-v01@openssh.com
• ecdsa-sha2-nistp521-cert-v01@openssh.com
• ssh-ed25519-cert-v01@openssh.com
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521
• rsa-sha2-256
• rsa-sha2-512
• ssh-rsa
• ssh-dss
• ssh-ed25519

Ciphers

Default ciphers:

• aes256-gcm@openssh.com
• aes256-ctr
• aes192-ctr
• aes128-gcm@openssh.com
• aes128-ctr

All supported ciphers:

• aes128-ctr
• aes192-ctr
• aes256-ctr
• aes128-gcm@openssh.com
• aes256-gcm@openssh.com
• chacha20-poly1305@openssh.com
• arcfour256
• arcfour128
• arcfour
• aes128-cbc
• 3des-cbc

MACs

Default MACs:

• hmac-sha2-512
• hmac-sha2-256
• hmac-sha1
• hmac-sha1-96

All supported MACs:

• hmac-sha2-512-etm@openssh.com
• hmac-sha2-256-etm@openssh.com
• hmac-sha2-256
• hmac-sha2-512
• hmac-sha1
• hmac-sha1-96

SFTP protocols

Default version:

• 6

Supported versions:

• 3
• 4
• 5
• 6

info

If your target host uses an older unsupported algorithm, and it is not possible to add an algorithm override configuration, a native SSH client via PrivX SSH Agent can be used.