Ciphers and MACs
The algorithm(s) used for symmetric session encryption
can be chosen in the sshd2_config
and
ssh2_config
files:
The system will attempt to use the different encryption ciphers
in the sequence specified on the line. Currently
supported cipher names are the following:
-
3des-cbc
-
aes128-cbc
-
aes192-cbc
-
aes256-cbc
-
arcfour
-
blowfish-cbc
-
cast128-cbc
-
twofish-cbc
-
twofish128-cbc
-
twofish192-cbc
-
twofish256-cbc
-
cast128-12-cbc@ssh.com
-
des-cbc@ssh.com
-
seed-cbc@ssh.com
-
rijndael-cbc@ssh.com
In the FIPS mode, the following ciphers are supported:
-
3des-cbc
-
aes128-cbc
-
aes192-cbc
-
aes256-cbc
-
des-cbc@ssh.com
Special values for this option are the following:
-
Any
: allows all the cipher values including none
-
AnyStd
: allows only standard ciphers and none
-
none
: forbids any use of encryption
-
AnyCipher
: allows any available cipher
apart from the non-encrypting cipher mode none
-
AnyStdCipher
: the same as
AnyCipher
, but includes only those ciphers mentioned
in IETF-SecSh-draft (excluding
none
). This is the default value.
The MAC (Message Authentication Code) algorithm(s) used for data
integrity verification can be selected in the
sshd2_config
and ssh2_config
files:
The system will attempt to use the different HMAC algorithms in
the sequence they are specified on the line. Supported MAC
names are the following:
-
hmac-md5
-
hmac-md5-96
-
hmac-sha1
-
hmac-sha1-96
-
hmac-sha256@ssh.com
-
hmac-sha256-96@ssh.com
In the FIPS mode, only hmac-sha1
is supported.
Special values for this option are the following:
-
Any
: allows all the MAC values including none
-
AnyStd
: allows only standard MACs and none
-
none
: forbids any use of MACs
-
AnyMac
: allows any available MAC apart from none
-
AnyStdMac
: the same as AnyMac
, but includes
only those MACs mentioned in IETF-SecSh-draft (excluding
none
). This is the default value.
Both cipher and MAC can also be defined using command-line arguments with
ssh2
and scp2
:
$ scp2 -c twofish -m hmac-md5 foobar user@remote:./tmp
Note: Algorithm names are case-sensitive.