SSH Cipher Support
This topic details SSH cipher suite encryption, key exchange, and MAC algorithms.
Enable FIPS in Secret Server to ensure all algorithms are FIPS-certified.
SecureBlackbox enables all available SSH encryption, key exchange, and MAC algorithms by default.
This information applies to the following as of Secret Server 11.2.X (June 2022).
- SSH Server: Used by SSH proxy
- SSH Client: Used by SSH proxy, RPC, heartbeat, discovery, and script runners.
- Local port forwarding: Used by SSH proxy Jumpbox routes)
Secret Server with FIPS Enabled
Default Encryption Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| aes256-gcm@openssh.com | SSH_EA_AES256_GCM_OPENSSH | 2147483646 |
| aes128-gcm@openssh.com | SSH_EA_AES128_GCM_OPENSSH | 2147483645 |
| aes256-gcm | SSH_EA_AES256_GCM | 2147483644 |
| aes128-gcm | SSH_EA_AES128_GCM | 2147483643 |
| aes256-ctr | SSH_EA_AES256_CTR | 2147483642 |
| aes192-ctr | SSH_EA_AES192_CTR | 2147483641 |
| aes128-ctr | SSH_EA_AES128_CTR | 2147483640 |
| aes256-cbc | SSH_EA_AES256 | 2147483639 |
| aes128-cbc | SSH_EA_AES128 | 2147483638 |
| 3des-cbc | SSH_EA_3DES | 2147483637 |
Default Key Exchange Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH KexAlgorithm | Secure Blackbox Key Exchange Algorithm | Priority |
|---|---|---|
| curve25519-sha256@libssh.org | SSH_KEX_CURVE25519 | 2147483646 |
| diffie-hellman-group-exchange-sha256 | SSH_KEX_DH_GROUP_EXCHANGE256 | 2147483645 |
| diffie-hellman-group14-sha1 | SSH_KEX_DH_GROUP_14 | 2147483644 |
| diffie-hellman-group-exchange-sha1 | SSH_KEX_DH_GROUP_EXCHANGE | 2147483643 |
| diffie-hellman-group14-sha256 | SSH_KEX_DH_GROUP_14_SHA256 | 2147483642 |
| ecdh-sha2-nistp521 | SSH_KEX_ECDH_NIST_P521 | 2147483641 |
| ecdh-sha2-nistp384 | SSH_KEX_ECDH_NIST_P384 | 2147483640 |
| ecdh-sha2-nistp256 | SSH_KEX_ECDH_NIST_P256 | 2147483639 |
Default MAC Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH MAC | Secure Blackbox MAC Algorithm | Priority |
|---|---|---|
| chacha20-poly1305@openssh.com | SSH_MA_POLY1305 | 2147483646 |
| aes256-gcm | SSH_MA_AES256_GCM | 2147483645 |
| aes128-gcm | SSH_MA_AES128_GCM | 2147483644 |
| hmac-sha2-512 | SSH_MA_HMAC_SHA2_512 | 2147483643 |
| hmac-sha2-256 | SSH_MA_HMAC_SHA2_256 | 2147483642 |
| hmac-sha256@ssh.com | SSH_MA_HMAC_SHA256 | 2147483641 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 2147483640 |
| hmac-sha1 | SSH_MA_HMAC_SHA1 | 2147483639 |
Secret Server with FIPS Disabled
Default Encryption Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| aes256-gcm@openssh.com | SSH_EA_AES256_GCM_OPENSSH | 2147483646 |
| aes128-gcm@openssh.com | SSH_EA_AES128_GCM_OPENSSH | 2147483645 |
| aes256-gcm | SSH_EA_AES256_GCM | 2147483644 |
| aes128-gcm | SSH_EA_AES128_GCM | 2147483643 |
| aes256-ctr | SSH_EA_AES256_CTR | 2147483642 |
| aes192-ctr | SSH_EA_AES192_CTR | 2147483641 |
| aes128-ctr | SSH_EA_AES128_CTR | 2147483640 |
| aes256-cbc | SSH_EA_AES256 | 2147483639 |
| aes192-cbc | SSH_EA_AES192 | 2147483638 |
| aes128-cbc | SSH_EA_AES128 | 2147483637 |
| 3des-cbc | SSH_EA_3DES | 2147483636 |
| twofish256-cbc | SSH_EA_TWOFISH256 | 36 |
| twofish192-cbc | SSH_EA_TWOFISH192 | 35 |
| twofish128-cbc | SSH_EA_TWOFISH128 | 34 |
| serpent256-cbc | SSH_EA_SERPENT256 | 33 |
| serpent192-cbc | SSH_EA_SERPENT192 | 32 |
| serpent128-cbc | SSH_EA_SERPENT128 | 31 |
| blowfish-cbc | SSH_EA_BLOWFISH | 30 |
| twofish128-ctr | SSH_EA_TWOFISH128_CTR | 29 |
| twofish192-ctr | SSH_EA_TWOFISH192_CTR | 28 |
| twofish256-ctr | SSH_EA_TWOFISH256_CTR | 27 |
| serpent128-ctr | SSH_EA_SERPENT128_CTR | 26 |
| serpent192-ctr | SSH_EA_SERPENT192_CTR | 25 |
| serpent256-ctr | SSH_EA_SERPENT256_CTR | 24 |
| blowfish-ctr | SSH_EA_BLOWFISH_CTR | 23 |
| idea-ctr | SSH_EA_IDEA_CTR | 22 |
| cast128-ctr | SSH_EA_CAST128_CTR | 21 |
| arcfour128 | SSH_EA_ARCFOUR128 | 20 |
| arcfour256 | SSH_EA_ARCFOUR256 | 19 |
| cast128-cbc | SSH_EA_CAST128 | 18 |
| 3des-cbc | SSH_EA_3DES | 17 |
| 3des-ctr | SSH_EA_3DES_CTR | 16 |
| chacha20-poly1305 | SSH_EA_CHACHA20 | 15 |
| arcfour | SSH_EA_ARCFOUR | 14 |
| idea-cbc | SSH_EA_IDEA | 13 |
| chacha20-poly1305@openssh.com | SSH_EA_CHACHA20_OPENSSH | 12 |
| des-cbc | SSH_EA_DES | 11 |
| none | SSH_EA_NONE | 10 |
Default Key Exchange Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH KexAlgorithm | Secure Blackbox Key Exchange Algorithm | Priority |
|---|---|---|
| curve25519-sha256@libssh.org | SSH_KEX_CURVE25519 | 2147483646 |
| diffie-hellman-group-exchange-sha256 | SSH_KEX_DH_GROUP_EXCHANGE256 | 2147483645 |
| diffie-hellman-group14-sha1 | SSH_KEX_DH_GROUP_14 | 2147483644 |
| diffie-hellman-group1-sha1 | SSH_KEX_DH_GROUP | 2147483643 |
| diffie-hellman-group-exchange-sha1 | SSH_KEX_DH_GROUP_EXCHANGE | 2147483642 |
| diffie-hellman-group14-sha256 | SSH_KEX_DH_GROUP_14_SHA256 | 2147483641 |
| ecdh-sha2-nistp521 | SSH_KEX_ECDH_NIST_P521 | 2147483640 |
| ecdh-sha2-nistp384 | SSH_KEX_ECDH_NIST_P384 | 2147483639 |
| ecdh-sha2-nistp256 | SSH_KEX_ECDH_NIST_P256 | 2147483638 |
Default MAC Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH MAC | Secure Blackbox MAC Algorithm | Priority |
|---|---|---|
| chacha20-poly1305@openssh.com | SSH_MA_POLY1305 | 2147483646 |
| aes256-gcm | SSH_MA_AES256_GCM | 2147483645 |
| aes128-gcm | SSH_MA_AES128_GCM | 2147483644 |
| hmac-sha2-512 | SSH_MA_HMAC_SHA2_512 | 2147483643 |
| hmac-sha2-256 | SSH_MA_HMAC_SHA2_256 | 2147483642 |
| hmac-sha256@ssh.com | SSH_MA_HMAC_SHA256 | 2147483641 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 2147483640 |
| hmac-sha1 | SSH_MA_HMAC_SHA1 | 2147483639 |
| umac-128@openssh.com | SSH_MA_UMAC128 | 2147483638 |
| umac-96@openssh.com | SSH_MA_UMAC96 | 2147483637 |
| umac-64@openssh.com | SSH_MA_UMAC64 | 2147483636 |
| umac-32@openssh.com | SSH_MA_UMAC32 | 2147483635 |
| hmac-sha2-512-etm@openssh.com | SSH_MA_HMAC_SHA2_512_ETM | 28 |
| hmac-sha2-256-etm@openssh.com | SSH_MA_HMAC_SHA2_256_ETM | 27 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 24 |
| hmac-ripemd160 | SSH_MA_HMAC_RIPEMD160 | 23 |
| hmac-ripemd | SSH_MA_HMAC_RIPEMD | 22 |
| hmac-ripemd160@openssh.com | SSH_MA_HMAC_RIPEMD_OPENSSH | 21 |
| hmac-sha1-96 | SSH_MA_HMAC_SHA1_96 | 15 |
| hmac-md5 | SSH_MA_HMAC_MD5 | 13 |
| hmac-md5-96 | SSH_MA_HMAC_MD5_96 | 12 |
| none | SSH_MA_NONE | 10 |
