Skip to main content
Version: v40

Supported SSH Algorithms

This guide describes the default and supported SSH algorithms in PrivX. All the algorithms, except host-key algorithms, can be configured on PrivX Servers in /opt/privx/etc/ssh-algorithms.toml. Algorithms can be enabled per target FQDN pattern, CIDR, or IP address.

info

Some algorithms are not enabled by default because they aren't considered safe anymore. Consider first upgrading your target host to support the default algorithms. Only enable legacy algorithms if target host upgrade is not an option.

KEX Algorithms

Default KEX algorithms:

All supported KEX algorithms:

info

diffie-hellman-group-exchange-* key-exchange algorithms are only supported when PrivX connects to targets, not when clients are connecting to PrivX Bastion.

Host-Key Algorithms

Ciphers

Default ciphers:

All supported ciphers:

MACs

Default MACs:

  • hmac-sha2-512
  • hmac-sha2-256
  • hmac-sha1
  • hmac-sha1-96

All supported MACs:

SFTP protocols

Default version:

  • 6

Supported versions:

  • 3
  • 4
  • 5
  • 6
info

If your target host uses an older unsupported algorithm, and it is not possible to add an algorithm override configuration, a native SSH client via PrivX SSH Agent can be used.