ssh
SSH configuration settings.
# example
ssh:
encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
hostKeyAlgorithms: ['__MODERN']
kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
macAlgorithms: ['__INTERMEDIATE']
maxIdleDurationSeconds: 86400
maxSessionDurationSeconds: 86400
maxSessionTransferredBytes: 1073741824
banner: 'Welcome!'
shellHostName: myserver
softwareVersion: MyServer_1.0.0
ssh.encryptionAlgorithms
string[] = ['__INTERMEDIATE']
List of encryption algorithms. Explicit algorithm names or macros (see below) can be used.
The order of the algorithms is not too significant as the SSH client will eventually decide, but it is recommended to put the most secure algorithms first.
Currently supported algorithms are, with their macros:
| __MODERN (secure) | |
|---|---|
| aes256-gcm@openssh.com | AES in GCM mode with 256-bit key |
| aes128-gcm@openssh.com | AES in GCM mode with 128-bit key |
| aes256-ctr | AES in CTR mode with 256-bit key |
| aes192-ctr | AES in CTR mode with 192-bit key |
| aes128-ctr | AES in CTR mode with 128-bit key |
| chacha20-poly1305@openssh.com | ChaCha20/Poly1305 AEAD cipher with 256-bit key |
| twofish256-ctr | Twofish in CTR mode with 256-bit key |
| twofish192-ctr | Twofish in CTR mode with 192-bit key |
| twofish128-ctr | Twofish in CTR mode with 128-bit key |
| __INTERMEDIATE (best compatibility) | all of the above, plus: |
|---|---|
| aes256-cbc | AES in CBC mode with 256-bit key |
| aes192-cbc | AES in CBC mode with 192-bit key |
| aes128-cbc | AES in CBC mode with 128-bit key |
| twofish256-cbc | Twofish in CBC mode with 256-bit key |
| twofish192-cbc | Twofish in CBC mode with 192-bit key |
| twofish128-cbc | Twofish in CBC mode with 128-bit key |
| twofish-cbc | Twofish in CBC mode with 256-bit key |
| 3des-ctr | TripleDES in CTR mode |
| 3des-cbc | TripleDES in CBC mode |
| __ALL (unsecure, not recommended) | all of the above, plus: |
|---|---|
| arcfour256 | ArcFour (RC4) stream cipher (with discard step) with 256-bit key |
| arcfour128 | ArcFour (RC4) stream cipher (with discard step) with 128-bit key |
| arcfour | ArcFour (RC4) stream cipher with 128-bit key |
| blowfish-ctr | Twofish in CTR mode with 256-bit key |
| blowfish-cbc | Blowfish in CBC mode with 128-bit key |
ssh.hostKeyAlgorithms
string[] = ['__INTERMEDIATE']
List of host key algorithms.
| __MODERN (secure) | |
|---|---|
| ssh-ed25519 | Ed25519, an Edwards-curve Digital Signature Algorithm (EdDSA) |
| ecdsa-sha2-nistp521 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash |
| ecdsa-sha2-nistp384 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash |
| ecdsa-sha2-nistp256 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash |
| ecdsa-sha2-1.3.132.0.10 | 2.11.0+Elliptic Curve Digital Signature Algorithm (ECDSA) on secp256k1 curve with SHA-256 hash. Supported on Windows 10+ and Windows Server 2016+. |
| rsa-sha2-512 | RSA with SHA-512 hash |
| ssh-rsa-sha256@ssh.com | RSA with SHA-256 hash |
| rsa-sha2-256 | RSA with SHA-256 hash |
| x509v3-ecdsa-sha2-nistp521 | 2.10.0+X.509 certificate with ECDSA on NIST P-521 curve and SHA-2 hash |
| x509v3-ecdsa-sha2-nistp384 | 2.10.0+X.509 certificate with ECDSA on NIST P-384 curve and SHA-2 hash |
| x509v3-ecdsa-sha2-nistp256 | 2.10.0+X.509 certificate with ECDSA on NIST P-256 curve and SHA-2 hash |
| x509v3-rsa2048-sha256 | 2.10.0+X.509 certificate with 2048+ bit RSA and SHA-256 hash |
| x509v3-sign-rsa-sha256@ssh.com | 2.10.0+X.509 certificate with RSA and SHA-256 hash |
| __INTERMEDIATE (best compatibility) | all of the above, plus: |
|---|---|
| ssh-dss | NIST Digital Signature Algorithm (DSA) with SHA-1 hash |
| ssh-rsa | RSA with SHA-1 hash |
| x509v3-sign-rsa | 2.10.0+X.509 certificate with RSA and SHA-1 hash |
| x509v3-sign-dss | 2.10.0+X.509 certificate with DSA and SHA-1 hash |
| __ALL (unsecure, not recommended) | all of the above |
|---|
ssh.kexAlgorithms
string[] = ['__INTERMEDIATE']
List of key exchange algorithms.
| __MODERN (secure) | ||
|---|---|---|
| curve25519-sha256 | 256 bits | Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash |
| curve25519-sha256@libssh.org | 256 bits | Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash |
| ecdh-sha2-nistp521 | 521 bits | Elliptic Curve Diffie Hellman with NIST P-521 curve and SHA-512 hash |
| ecdh-sha2-nistp384 | 384 bits | Elliptic Curve Diffie Hellman with NIST P-384 curve and SHA-384 hash |
| ecdh-sha2-nistp256 | 256 bits | Elliptic Curve Diffie Hellman with NIST P-256 curve and SHA-256 hash |
| ecdh-sha2-1.3.132.0.10 | 256 bits | 2.11.0+Elliptic Curve Diffie Hellman with secp256k1 curve and SHA-256 hash. Supported on Windows 10+ and Windows Server 2016+. |
| diffie-hellman-group16-sha512 | 4096 bits | Diffie Hellman with Oakley Group 16 and SHA-512 hash |
| diffie-hellman-group15-sha512 | 3072 bits | Diffie Hellman with Oakley Group 15 and SHA-512 hash |
| diffie-hellman-group-exchange-sha256 | Negotiated | Diffie Hellman with group exchange and SHA-256 hash |
| __INTERMEDIATE (best compatibility) | all of the above, plus: | |
|---|---|---|
| diffie-hellman-group14-sha256 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-256 hash |
| diffie-hellman-group14-sha1 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-1 hash |
| diffie-hellman-group-exchange-sha1 | Negotiated | Diffie Hellman with group exchange and SHA-1 hash |
| __ALL (unsecure, not recommended) | all of the above, plus: | |
|---|---|---|
| diffie-hellman-group1-sha1 | 1024 bits | Diffie Hellman with Oakley Group 2 and SHA-1 hash |
ssh.macAlgorithms
string[] = ['__INTERMEDIATE']
List of MAC algorithms.
| __MODERN (secure) | |
|---|---|
| hmac-sha2-512-etm@openssh.com | SHA-512 (ETM mode) |
| hmac-sha2-256-etm@openssh.com | SHA-256 (ETM mode) |
| hmac-sha2-512 | SHA-512 |
| hmac-sha2-256 | SHA-256 |
| __INTERMEDIATE (best compatibility) | all of the above, plus: |
|---|---|
| hmac-sha1 | SHA-1 |
| hmac-sha1-96 | SHA-1 (trimmed to 96 bits) |
| __ALL (unsecure, not recommended) | all of the above |
|---|---|
| hmac-md5 | MD5 |
| hmac-md5-96 | MD5 (trimmed to 96 bits) |
ssh.banner
string
Banner message displayed to clients before authentication.
ssh.maxIdleDurationSeconds
number = 86400 (1 day)
Maximum session idle duration in seconds. When this duration expires, session is disconnected. Set the value to 0 to disable.
ssh.maxSessionDurationSeconds
number = 86400 (1 day)
Maximum session duration in seconds. When this duration expires, a session renegotiation occurs. Set the value to 0 disable.
ssh.maxSessionTransferredBytes
number = 1073741824 (1 GB)
Maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs. Set the value to 0 to disable.
ssh.shellHostName
string
Server name visible to the clients.
ssh.softwareVersion
string
Use custom software version in SSH protocol version exchange