This feature allows administrators to customize the set of cryptographic algorithms used by the system for secure communications. By specifying algorithm names separated by commas or spaces, administrators can tailor the security protocols to meet organizational requirements. Special keywords enhance flexibility: DEFAULT expands to the system’s default set of secure algorithms, while ALL includes every available algorithm, encompassing both secure and less secure options. Additionally, prefixing an algorithm name with a minus sign (-) disables that specific algorithm. For example, to exclude a particular algorithm, you would list it as -AlgorithmName.
Available KEX algorithms:
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group1-sha1
- diffie-hellman-group14-sha1
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
Available key signature algorithms:
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- rsa-sha2-256
- ssh-ed25519
- ssh-rsa
Available MAC algorithms:
- hmac-sha1,hmac-sha1-96
- hmac-sha2-256
- hmac-sha2-512v
Available cipher algorithms:
- aes128-cbc
- aes128-ctr
- aes128-gcm@openssh.com
- aes192-cbc
- aes192-ctr
- aes192-gcm
So for example default KEX algorithms (expanded by DEFAULT):
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group14-sha1
- diffie-hellman-group14-sha256
- diffie-hellman-group16-sha512
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
Where insecure Algorithms (included when using ALL; enable at your own risk):
- diffie-hellman-group1-sha1
It’s important to note that some legacy algorithms, such as diffie-hellman-group1-sha1, are considered insecure and are disabled by default in modern configurations. Administrators should exercise caution when enabling these algorithms, as they may expose the system to security vulnerabilities.