SSH Cipher Support
This topic details SSH cipher suite encryption, key exchange, and MAC algorithms.
Enable FIPS in Secret Server On-Premises to ensure all algorithms are FIPS-certified. FIPS 140-2 compliance is built-in to Secret Server Cloud and is always on.
SecureBlackbox enables all available SSH encryption, key exchange, and MAC algorithms by default.
This information applies to the following as of Secret Server On-Premises 11.2.X (June 2022).
- SSH Server: Used by SSH proxy
- SSH Client: Used by SSH proxy, RPC, heartbeat, discovery, and script runners.
- Local port forwarding: Used by SSH proxy Jumpbox routes)
Secret Server On-Premises with FIPS Enabled
Default Encryption Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| aes256-cbc | SSH_EA_AES256 | 2147483646 |
| aes192-cbc | SSH_EA_AES192 | 2147483645 |
| aes128-cbc | SSH_EA_AES128 | 2147483644 |
| 3des-cbc | SSH_EA_3DES | 2147483643 |
Default Key Exchange Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| rsa1024-sha1 | SSH_KEX_RSA1024_SHA1 | 2147483646 |
| rsa2048-sha256 | SSH_KEX_RSA2048_SHA256 | 2147483645 |
Default MAC Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| hmac-sha2-512 | SSH_MA_HMAC_SHA2_512 | 2147483646 |
| hmac-sha2-256 | SSH_MA_HMAC_SHA2_256 | 2147483645 |
| hmac-sha256@ssh.com | SSH_MA_HMAC_SHA256 | 2147483644 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 2147483643 |
| hmac-sha1 | SSH_MA_HMAC_SHA1 | 2147483642 |
Default Public-Key Algorithms, FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| x509v3-sign-rsa | SSH_PK_X509_SIGN_RSA | 2147483646 |
| x509v3-sign-dss | SSH_PK_X509_SIGN_DSS | 2147483645 |
| spki-sign-rsa | SSH_PK_SPKI_SIGN_RSA | 2147483644 |
| spki-sign-dss | SSH_PK_SPKI_SIGN_DSS | 2147483643 |
| pgp-sign-rsa | SSH_PK_PGP_SIGN_RSA | 2147483642 |
| pgp-sign-dss | SSH_PK_PGP_SIGN_DSS | 2147483641 |
| x509v3-ssh-rsa | SSH_PK_X509_SSH_RSA | 2147483640 |
| x509v3-ssh-dss | SSH_PK_X509_SSH_DSS | 2147483639 |
| x509v3-rsa2048-sha256 | SH_PK_X509_RSA2048_SHA256 | 2147483638 |
| rsa-sha2-256 | SSH_PK_RSA_SHA256 | 2147483637 |
| rsa-sha2-512 | SSH_PK_RSA_SHA512 | 2147483636 |
| ssh-dss | SSH_PK_DSS | 2147483635 |
| ssh-rsa | SSH_PK_RSA | 2147483634 |
Secret Server with FIPS Disabled
Default Encryption Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| aes256-gcm@openssh.com | SSH_EA_AES256_GCM_OPENSSH | 2147483646 |
| aes128-gcm@openssh.com | SSH_EA_AES128_GCM_OPENSSH | 2147483645 |
| aes256-gcm | SSH_EA_AES256_GCM | 2147483644 |
| aes128-gcm | SSH_EA_AES128_GCM | 2147483643 |
| aes256-ctr | SSH_EA_AES256_CTR | 2147483642 |
| aes192-ctr | SSH_EA_AES192_CTR | 2147483641 |
| aes128-ctr | SSH_EA_AES128_CTR | 2147483640 |
| aes256-cbc | SSH_EA_AES256 | 2147483639 |
| aes192-cbc | SSH_EA_AES192 | 2147483638 |
| aes128-cbc | SSH_EA_AES128 | 2147483637 |
| 3des-cbc | SSH_EA_3DES | 2147483636 |
| twofish256-cbc | SSH_EA_TWOFISH256 | 36 |
| twofish192-cbc | SSH_EA_TWOFISH192 | 35 |
| twofish128-cbc | SSH_EA_TWOFISH128 | 34 |
| serpent256-cbc | SSH_EA_SERPENT256 | 33 |
| serpent192-cbc | SSH_EA_SERPENT192 | 32 |
| serpent128-cbc | SSH_EA_SERPENT128 | 31 |
| blowfish-cbc | SSH_EA_BLOWFISH | 30 |
| twofish128-ctr | SSH_EA_TWOFISH128_CTR | 29 |
| twofish192-ctr | SSH_EA_TWOFISH192_CTR | 28 |
| twofish256-ctr | SSH_EA_TWOFISH256_CTR | 27 |
| serpent128-ctr | SSH_EA_SERPENT128_CTR | 26 |
| serpent192-ctr | SSH_EA_SERPENT192_CTR | 25 |
| serpent256-ctr | SSH_EA_SERPENT256_CTR | 24 |
| blowfish-ctr | SSH_EA_BLOWFISH_CTR | 23 |
| idea-ctr | SSH_EA_IDEA_CTR | 22 |
| cast128-ctr | SSH_EA_CAST128_CTR | 21 |
| arcfour128 | SSH_EA_ARCFOUR128 | 20 |
| arcfour256 | SSH_EA_ARCFOUR256 | 19 |
| cast128-cbc | SSH_EA_CAST128 | 18 |
| 3des-ctr | SSH_EA_3DES_CTR | 16 |
| chacha20-poly1305 | SSH_EA_CHACHA20 | 15 |
| arcfour | SSH_EA_ARCFOUR | 14 |
| idea-cbc | SSH_EA_IDEA | 13 |
| chacha20-poly1305@openssh.com | SSH_EA_CHACHA20_OPENSSH | 12 |
| des-cbc | SSH_EA_DES | 11 |
| none | SSH_EA_NONE | 10 |
Default Key Exchange Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| curve25519-sha256@libssh.org | SSH_KEX_CURVE25519 | 2147483646 |
| diffie-hellman-group-exchange-sha256 | SSH_KEX_DH_GROUP_EXCHANGE256 | 2147483645 |
| diffie-hellman-group14-sha1 | SSH_KEX_DH_GROUP_14 | 2147483644 |
| diffie-hellman-group1-sha1 | SSH_KEX_DH_GROUP | 2147483643 |
| diffie-hellman-group-exchange-sha1 | SSH_KEX_DH_GROUP_EXCHANGE | 2147483642 |
| diffie-hellman-group14-sha256 | SSH_KEX_DH_GROUP_14_SHA256 | 2147483641 |
| ecdh-sha2-nistp521 | SSH_KEX_ECDH_NIST_P521 | 2147483640 |
| ecdh-sha2-nistp384 | SSH_KEX_ECDH_NIST_P384 | 2147483639 |
| ecdh-sha2-nistp256 | SSH_KEX_ECDH_NIST_P256 | 2147483638 |
| rsa1024-sha1 | SSH_KEX_RSA1024_SHA1 | 2147483637 |
| rsa2048-sha256 | SSH_KEX_RSA2048_SHA256 | 2147483636 |
Default MAC Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| chacha20-poly1305@openssh.com | SSH_MA_POLY1305 | 2147483646 |
| aes256-gcm | SSH_MA_AES256_GCM | 2147483645 |
| aes128-gcm | SSH_MA_AES128_GCM | 2147483644 |
| hmac-sha2-512 | SSH_MA_HMAC_SHA2_512 | 2147483643 |
| hmac-sha2-256 | SSH_MA_HMAC_SHA2_256 | 2147483642 |
| hmac-sha256@ssh.com | SSH_MA_HMAC_SHA256 | 2147483641 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 2147483640 |
| hmac-sha1 | SSH_MA_HMAC_SHA1 | 2147483639 |
| umac-128@openssh.com | SSH_MA_UMAC128 | 2147483638 |
| umac-96@openssh.com | SSH_MA_UMAC96 | 2147483637 |
| umac-64@openssh.com | SSH_MA_UMAC64 | 2147483636 |
| umac-32@openssh.com | SSH_MA_UMAC32 | 2147483635 |
| hmac-sha2-512-etm@openssh.com | SSH_MA_HMAC_SHA2_512_ETM | 28 |
| hmac-sha2-256-etm@openssh.com | SSH_MA_HMAC_SHA2_256_ETM | 27 |
| hmac-sha256-96@ssh.com | SSH_MA_HMAC_SHA256_96 | 24 |
| hmac-ripemd160 | SSH_MA_HMAC_RIPEMD160 | 23 |
| hmac-ripemd | SSH_MA_HMAC_RIPEMD | 22 |
| hmac-ripemd160@openssh.com | SSH_MA_HMAC_RIPEMD_OPENSSH | 21 |
| hmac-sha1-96 | SSH_MA_HMAC_SHA1_96 | 15 |
| hmac-md5 | SSH_MA_HMAC_MD5 | 13 |
| hmac-md5-96 | SSH_MA_HMAC_MD5_96 | 12 |
| none | SSH_MA_NONE | 10 |
Default Public-Key Algorithms, Non-FIPS
The algorithm with highest priority is chosen first, if unsuccessful, the next highest is attempted. The table is ordered by priority.
| SSH Cipher | Secure Blackbox Encryption Algorithm | Priority |
|---|---|---|
| x509v3-sign-rsa | SSH_PK_X509_SIGN_RSA | 2147483646 |
| x509v3-sign-dss | SSH_PK_X509_SIGN_DSS | 2147483645 |
| spki-sign-rsa | SSH_PK_SPKI_SIGN_RSA | 2147483644 |
| spki-sign-dss | SSH_PK_SPKI_SIGN_DSS | 2147483643 |
| pgp-sign-rsa | SSH_PK_PGP_SIGN_RSA | 2147483642 |
| pgp-sign-dss | SSH_PK_PGP_SIGN_DSS | 2147483641 |
| ecdsa-sha2-nistp256 | SSH_PK_ECDSA_NIST_P256 | 2147483640 |
| ecdsa-sha2-nistp384 | SSH_PK_ECDSA_NIST_P384 | 2147483639 |
| ecdsa-sha2-nistp521 | SSH_PK_ECDSA_NIST_P521 | 2147483638 |
| ecdsa-sha2-nistk163 | SSH_PK_ECDSA_NIST_K163 | 2147483637 |
| ecdsa-sha2-nistp192 | SSH_PK_ECDSA_NIST_P192 | 2147483636 |
| ecdsa-sha2-nistp224 | SSH_PK_ECDSA_NIST_P224 | 2147483635 |
| ecdsa-sha2-nistk233 | SSH_PK_ECDSA_NIST_K233 | 2147483634 |
| ecdsa-sha2-nistb233 | SSH_PK_ECDSA_NIST_B233 | 2147483633 |
| ecdsa-sha2-nistk283 | SSH_PK_ECDSA_NIST_K283 | 2147483632 |
| ecdsa-sha2-nistk409 | SSH_PK_ECDSA_NIST_K409 | 2147483631 |
| ecdsa-sha2-nistb409 | SSH_PK_ECDSA_NIST_B409 | 2147483630 |
| ecdsa-sha2-nistt571 | SSH_PK_ECDSA_NIST_K571 | 2147483629 |
| ecdsa-sha2-curve25519 | SSH_PK_ECDSA_CURVE25519 | 2147483628 |
| x509v3-ssh-rsa | SSH_PK_X509_SSH_RSA | 2147483627 |
| x509v3-ssh-dss | SSH_PK_X509_SSH_DSS | 2147483626 |
| x509v3-rsa2048-sha256 | SSH_PK_X509_RSA2048_SHA256 | 2147483625 |
| x509v3-ecdsa-sha2-nistp256 | SSH_PK_X509_ECDSA_SHA2_NIST_P256 | 2147483624 |
| x509v3-ecdsa-sha2-nistp384 | SSH_PK_X509_ECDSA_SHA2_NIST_P384 | 2147483623 |
| x509v3-ecdsa-sha2-nistp521 | SSH_PK_X509_ECDSA_SHA2_NIST_P521 | 2147483622 |
| x509v3-ecdsa-sha2-nistk163 | SSH_PK_X509_ECDSA_SHA2_NIST_K163 | 2147483621 |
| x509v3-ecdsa-sha2-nistp192 | SSH_PK_X509_ECDSA_SHA2_NIST_P192 | 2147483620 |
| x509v3-ecdsa-sha2-nistp224 | SSH_PK_X509_ECDSA_SHA2_NIST_P224 | 2147483619 |
| x509v3-ecdsa-sha2-nistk233 | SSH_PK_X509_ECDSA_SHA2_NIST_K233 | 2147483618 |
| x509v3-ecdsa-sha2-nistb233 | SSH_PK_X509_ECDSA_SHA2_NIST_B233 | 2147483617 |
| x509v3-ecdsa-sha2-nistk283 | SSH_PK_X509_ECDSA_SHA2_NIST_K283 | 2147483616 |
| x509v3-ecdsa-sha2-nistk409 | SSH_PK_X509_ECDSA_SHA2_NIST_K409 | 2147483615 |
| x509v3-ecdsa-sha2-nistb409 | SSH_PK_X509_ECDSA_SHA2_NIST_B409 | 2147483614 |
| x509v3-ecdsa-sha2-nistt571 | SSH_PK_X509_ECDSA_SHA2_NIST_K571 | 2147483613 |
| x509v3-ecdsa-sha2-curve25519 | SSH_PK_X509_ECDSA_SHA2_CURVE25519 | 2147483612 |
| ssh-ed25519 | SSH_PK_ED25519 | 2147483611 |
| ssh-ed448 | SSH_PK_ED448 | 2147483610 |
| rsa-sha2-256 | SSH_PK_RSA_SHA256 | 2147483609 |
| rsa-sha2-512 | SSH_PK_RSA_SHA512 | 2147483608 |
| ssh-dss | SSH_PK_DSS | 2147483607 |
| SSH_PK_RSA | SSH_PK_RSA | 2147483606 |
