ssh

SSH configuration settings.

# example
ssh:
  softwareVersion: MyServer_1.0.0
  
  encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
  hostKeyAlgorithms: ['__MODERN']
  kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
  macAlgorithms: ['__INTERMEDIATE']
  
  maxIdleDurationSeconds: 86400
  maxSessionDurationSeconds: 86400
  maxSessionTransferredBytes: 1073741824

  shellHostName: myserver

ssh.encryptionAlgorithms

string[] = ['__INTERMEDIATE']

List of encryption algorithms. Explicit algorithm names or macros (see below) can be used.

Currently supported algorithms are, with their macros:

__MODERN (secure)
aes256-gcm@openssh.com AES in GCM mode with 256-bit key
aes128-gcm@openssh.com AES in GCM mode with 128-bit key
aes256-ctr AES in CTR mode with 256-bit key
aes192-ctr AES in CTR mode with 192-bit key
aes128-ctr AES in CTR mode with 128-bit key
chacha20-poly1305@openssh.com ChaCha20/Poly1305 AEAD cipher with 256-bit key
twofish256-ctr Twofish in CTR mode with 256-bit key
twofish192-ctr Twofish in CTR mode with 192-bit key
twofish128-ctr Twofish in CTR mode with 128-bit key
__INTERMEDIATE (best compatibility) all of the above, plus:
aes256-cbc AES in CBC mode with 256-bit key
aes192-cbc AES in CBC mode with 192-bit key
aes128-cbc AES in CBC mode with 128-bit key
twofish256-cbc Twofish in CBC mode with 256-bit key
twofish192-cbc Twofish in CBC mode with 192-bit key
twofish128-cbc Twofish in CBC mode with 128-bit key
twofish-cbc Twofish in CBC mode with 256-bit key
3des-ctr TripleDES in CTR mode
3des-cbc TripleDES in CBC mode
__ALL (unsecure, not recommended) all of the above, plus:
arcfour256 ArcFour (RC4) stream cipher (with discard step) with 256-bit key
arcfour128 ArcFour (RC4) stream cipher (with discard step) with 128-bit key
arcfour ArcFour (RC4) stream cipher with 128-bit key
blowfish-ctr Twofish in CTR mode with 256-bit key
blowfish-cbc Blowfish in CBC mode with 128-bit key

ssh.hostKeyAlgorithms

string[] = ['__INTERMEDIATE']

List of host key algorithms.

__MODERN (secure)
ssh-ed25519 Ed25519, an Edwards-curve Digital Signature Algorithm (EdDSA)
ecdsa-sha2-nistp521 Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash
ecdsa-sha2-nistp384 Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash
ecdsa-sha2-nistp256 Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash
ecdsa-sha2-1.3.132.0.10 2.11.0+Elliptic Curve Digital Signature Algorithm (ECDSA) on secp256k1 curve with SHA-256 hash. Supported on Windows 10+ and Windows Server 2016+.
rsa-sha2-512 RSA with SHA-512 hash
ssh-rsa-sha256@ssh.com RSA with SHA-256 hash
rsa-sha2-256 RSA with SHA-256 hash
x509v3-ecdsa-sha2-nistp521 2.10.0+X.509 certificate with ECDSA on NIST P-521 curve and SHA-2 hash
x509v3-ecdsa-sha2-nistp384 2.10.0+X.509 certificate with ECDSA on NIST P-384 curve and SHA-2 hash
x509v3-ecdsa-sha2-nistp256 2.10.0+X.509 certificate with ECDSA on NIST P-256 curve and SHA-2 hash
x509v3-rsa2048-sha256 2.10.0+X.509 certificate with 2048+ bit RSA and SHA-256 hash
x509v3-sign-rsa-sha256@ssh.com 2.10.0+X.509 certificate with RSA and SHA-256 hash
__INTERMEDIATE (best compatibility) all of the above, plus:
ssh-dss NIST Digital Signature Algorithm (DSA) with SHA-1 hash
ssh-rsa RSA with SHA-1 hash
x509v3-sign-rsa 2.10.0+X.509 certificate with RSA and SHA-1 hash
x509v3-sign-dss 2.10.0+X.509 certificate with DSA and SHA-1 hash
__ALL (unsecure, not recommended) all of the above

ssh.kexAlgorithms

string[] = ['__INTERMEDIATE']

List of key exchange algorithms.

__MODERN (secure)
curve25519-sha256 256 bits Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash
curve25519-sha256@libssh.org 256 bits Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash
ecdh-sha2-nistp521 521 bits Elliptic Curve Diffie Hellman with NIST P-521 curve and SHA-512 hash
ecdh-sha2-nistp384 384 bits Elliptic Curve Diffie Hellman with NIST P-384 curve and SHA-384 hash
ecdh-sha2-nistp256 256 bits Elliptic Curve Diffie Hellman with NIST P-256 curve and SHA-256 hash
ecdh-sha2-1.3.132.0.10 256 bits 2.11.0+Elliptic Curve Diffie Hellman with secp256k1 curve and SHA-256 hash. Supported on Windows 10+ and Windows Server 2016+.
diffie-hellman-group16-sha512 4096 bits Diffie Hellman with Oakley Group 16 and SHA-512 hash
diffie-hellman-group15-sha512 3072 bits Diffie Hellman with Oakley Group 15 and SHA-512 hash
diffie-hellman-group-exchange-sha256 Negotiated Diffie Hellman with group exchange and SHA-256 hash
__INTERMEDIATE (best compatibility) all of the above, plus:
diffie-hellman-group14-sha256 2048 bits Diffie Hellman with Oakley Group 14 and SHA-256 hash
diffie-hellman-group14-sha1 2048 bits Diffie Hellman with Oakley Group 14 and SHA-1 hash
diffie-hellman-group-exchange-sha1 Negotiated Diffie Hellman with group exchange and SHA-1 hash
__ALL (unsecure, not recommended) all of the above, plus:
diffie-hellman-group1-sha1 1024 bits Diffie Hellman with Oakley Group 2 and SHA-1 hash

ssh.macAlgorithms

string[] = ['__INTERMEDIATE']

List of MAC algorithms.

__MODERN (secure)
hmac-sha2-512-etm@openssh.com SHA-512 (ETM mode)
hmac-sha2-256-etm@openssh.com SHA-256 (ETM mode)
hmac-sha2-512 SHA-512
hmac-sha2-256 SHA-256
__INTERMEDIATE (best compatibility) all of the above, plus:
hmac-sha1 SHA-1
hmac-sha1-96 SHA-1 (trimmed to 96 bits)
__ALL (unsecure, not recommended) all of the above
hmac-md5 MD5
hmac-md5-96 MD5 (trimmed to 96 bits)

ssh.maxIdleDurationSeconds

number = 86400 (1 day)

Maximum session idle duration in seconds. When this duration expires, session is disconnected. Set the value to 0 to disable.

ssh.maxSessionDurationSeconds

number = 86400 (1 day)

Maximum session duration in seconds. When this duration expires, a session renegotiation occurs. Set the value to 0 disable.

ssh.maxSessionTransferredBytes

number = 1073741824 (1 GB)

Maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs. Set the value to 0 to disable.

ssh.shellHostName

string

Server name visible to the clients.

ssh.softwareVersion

string

Use custom software version in SSH protocol version exchange