SSH Cipher Support
You are viewing documentation for a version of Secret Server that is no longer supported. Delinea supports Secret Server for one year after release. This version has passed that window and will no longer receive updates. We strongly recommend upgrading to a supported version. Visit the current version of this page for the latest documentation.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.
This topic details SSH cipher suite encryption, key exchange, and MAC algorithms.
Enable FIPS in Secret Server to ensure all algorithms are FIPS-certified.
SecureBlackbox enables all available SSH encryption, key exchange, and MAC algorithms by default.
This information applies to the following as of Secret Server 11.2.X (June 2022).
- SSH Server: Used by SSH proxy
- SSH Client: Used by SSH proxy, RPC, heartbeat, discovery, and script runners.
- Local port forwarding: Used by SSH proxy Jumpbox routes)
Secret Server with FIPS Enabled
Default Encryption Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| aes256-gcm@openssh.com | SSH_EA_AES256_GCM_OPENSSH | 2147483646 |
| aes128-gcm@openssh.com | SSH_EA_AES128_GCM_OPENSSH | 2147483645 |
| aes256-gcm | SSH_EA_AES256_GCM | 2147483644 |
| aes128-gcm | SSH_EA_AES128_GCM | 2147483643 |
| aes256-ctr | SSH_EA_AES256_CTR | 2147483642 |
| aes192-ctr | SSH_EA_AES192_CTR | 2147483641 |
| aes128-ctr | SSH_EA_AES128_CTR | 2147483640 |
| aes256-cbc | SSH_EA_AES256 | 2147483639 |
| aes128-cbc | SSH_EA_AES128 | 2147483638 |
| 3des-cbc | SSH_EA_3DES | 2147483637 |
Default Key Exchange Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH KexAlgorithm | Secure Blackbox Key Exchange Algorithm | Priority |
|---|---|---|
| curve25519-sha256@libssh.org | SSH_KEX_CURVE25519 | 2147483646 |
| diffie-hellman-group-exchange-sha256 | SSH_KEX_DH_GROUP_EXCHANGE256 | 2147483645 |
| diffie-hellman-group14-sha1 | SSH_KEX_DH_GROUP_14 | 2147483644 |
| diffie-hellman-group-exchange-sha1 | SSH_KEX_DH_GROUP_EXCHANGE | 2147483643 |
| diffie-hellman-group14-sha256 | SSH_KEX_DH_GROUP_14_SHA256 | 2147483642 |
| ecdh-sha2-nistp521 | SSH_KEX_ECDH_NIST_P521 | 2147483641 |
| ecdh-sha2-nistp384 | SSH_KEX_ECDH_NIST_P384 | 2147483640 |
| ecdh-sha2-nistp256 | SSH_KEX_ECDH_NIST_P256 | 2147483639 |
Default MAC Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH MAC | Secure Blackbox MAC Algorithm | Priority |
|---|---|---|
| chacha20-poly1305@openssh.com | SSH_MA_POLY1305 | 2147483646 |
| aes256-gcm | SSH_MA_AES256_GCM | 2147483645 |
| aes128-gcm | SSH_MA_AES128_GCM | 2147483644 |
| hmac-sha2-512 | SSH_MA_HMAC_SHA2_512 | 2147483643 |
| hmac-sha2-256 | SSH_MA_HMAC_SHA2_256 | 2147483642 |
| hmac-sha256@ssh.com | SSH_MA_HMAC_SHA256 | 2147483641 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 2147483640 |
| hmac-sha1 | SSH_MA_HMAC_SHA1 | 2147483639 |
Secret Server with FIPS Disabled
Default Encryption Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| aes256-gcm@openssh.com | SSH_EA_AES256_GCM_OPENSSH | 2147483646 |
| aes128-gcm@openssh.com | SSH_EA_AES128_GCM_OPENSSH | 2147483645 |
| aes256-gcm | SSH_EA_AES256_GCM | 2147483644 |
| aes128-gcm | SSH_EA_AES128_GCM | 2147483643 |
| aes256-ctr | SSH_EA_AES256_CTR | 2147483642 |
| aes192-ctr | SSH_EA_AES192_CTR | 2147483641 |
| aes128-ctr | SSH_EA_AES128_CTR | 2147483640 |
| aes256-cbc | SSH_EA_AES256 | 2147483639 |
| aes192-cbc | SSH_EA_AES192 | 2147483638 |
| aes128-cbc | SSH_EA_AES128 | 2147483637 |
| 3des-cbc | SSH_EA_3DES | 2147483636 |
| twofish256-cbc | SSH_EA_TWOFISH256 | 36 |
| twofish192-cbc | SSH_EA_TWOFISH192 | 35 |
| twofish128-cbc | SSH_EA_TWOFISH128 | 34 |
| serpent256-cbc | SSH_EA_SERPENT256 | 33 |
| serpent192-cbc | SSH_EA_SERPENT192 | 32 |
| serpent128-cbc | SSH_EA_SERPENT128 | 31 |
| blowfish-cbc | SSH_EA_BLOWFISH | 30 |
| twofish128-ctr | SSH_EA_TWOFISH128_CTR | 29 |
| twofish192-ctr | SSH_EA_TWOFISH192_CTR | 28 |
| twofish256-ctr | SSH_EA_TWOFISH256_CTR | 27 |
| serpent128-ctr | SSH_EA_SERPENT128_CTR | 26 |
| serpent192-ctr | SSH_EA_SERPENT192_CTR | 25 |
| serpent256-ctr | SSH_EA_SERPENT256_CTR | 24 |
| blowfish-ctr | SSH_EA_BLOWFISH_CTR | 23 |
| idea-ctr | SSH_EA_IDEA_CTR | 22 |
| cast128-ctr | SSH_EA_CAST128_CTR | 21 |
| arcfour128 | SSH_EA_ARCFOUR128 | 20 |
| arcfour256 | SSH_EA_ARCFOUR256 | 19 |
| cast128-cbc | SSH_EA_CAST128 | 18 |
| 3des-cbc | SSH_EA_3DES | 17 |
| 3des-ctr | SSH_EA_3DES_CTR | 16 |
| chacha20-poly1305 | SSH_EA_CHACHA20 | 15 |
| arcfour | SSH_EA_ARCFOUR | 14 |
| idea-cbc | SSH_EA_IDEA | 13 |
| chacha20-poly1305@openssh.com | SSH_EA_CHACHA20_OPENSSH | 12 |
| des-cbc | SSH_EA_DES | 11 |
| none | SSH_EA_NONE | 10 |
Default Key Exchange Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH KexAlgorithm | Secure Blackbox Key Exchange Algorithm | Priority |
|---|---|---|
| curve25519-sha256@libssh.org | SSH_KEX_CURVE25519 | 2147483646 |
| diffie-hellman-group-exchange-sha256 | SSH_KEX_DH_GROUP_EXCHANGE256 | 2147483645 |
| diffie-hellman-group14-sha1 | SSH_KEX_DH_GROUP_14 | 2147483644 |
| diffie-hellman-group1-sha1 | SSH_KEX_DH_GROUP | 2147483643 |
| diffie-hellman-group-exchange-sha1 | SSH_KEX_DH_GROUP_EXCHANGE | 2147483642 |
| diffie-hellman-group14-sha256 | SSH_KEX_DH_GROUP_14_SHA256 | 2147483641 |
| ecdh-sha2-nistp521 | SSH_KEX_ECDH_NIST_P521 | 2147483640 |
| ecdh-sha2-nistp384 | SSH_KEX_ECDH_NIST_P384 | 2147483639 |
| ecdh-sha2-nistp256 | SSH_KEX_ECDH_NIST_P256 | 2147483638 |
Default MAC Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH MAC | Secure Blackbox MAC Algorithm | Priority |
|---|---|---|
| chacha20-poly1305@openssh.com | SSH_MA_POLY1305 | 2147483646 |
| aes256-gcm | SSH_MA_AES256_GCM | 2147483645 |
| aes128-gcm | SSH_MA_AES128_GCM | 2147483644 |
| hmac-sha2-512 | SSH_MA_HMAC_SHA2_512 | 2147483643 |
| hmac-sha2-256 | SSH_MA_HMAC_SHA2_256 | 2147483642 |
| hmac-sha256@ssh.com | SSH_MA_HMAC_SHA256 | 2147483641 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 2147483640 |
| hmac-sha1 | SSH_MA_HMAC_SHA1 | 2147483639 |
| umac-128@openssh.com | SSH_MA_UMAC128 | 2147483638 |
| umac-96@openssh.com | SSH_MA_UMAC96 | 2147483637 |
| umac-64@openssh.com | SSH_MA_UMAC64 | 2147483636 |
| umac-32@openssh.com | SSH_MA_UMAC32 | 2147483635 |
| hmac-sha2-512-etm@openssh.com | SSH_MA_HMAC_SHA2_512_ETM | 28 |
| hmac-sha2-256-etm@openssh.com | SSH_MA_HMAC_SHA2_256_ETM | 27 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 24 |
| hmac-ripemd160 | SSH_MA_HMAC_RIPEMD160 | 23 |
| hmac-ripemd | SSH_MA_HMAC_RIPEMD | 22 |
| hmac-ripemd160@openssh.com | SSH_MA_HMAC_RIPEMD_OPENSSH | 21 |
| hmac-sha1-96 | SSH_MA_HMAC_SHA1_96 | 15 |
| hmac-md5 | SSH_MA_HMAC_MD5 | 13 |
| hmac-md5-96 | SSH_MA_HMAC_MD5_96 | 12 |
| none | SSH_MA_NONE | 10 |
