# ssh

SSH configuration settings.

```
# example
ssh:
encryptionAlgorithms: ['__MODERN', '3des-ctr', '3des-cbc']
hostKeyAlgorithms: ['__MODERN']
kexAlgorithms: ['__MODERN', 'diffie-hellman-group14-sha1']
macAlgorithms: ['__INTERMEDIATE']
maxIdleDurationSeconds: 86400
maxSessionDurationSeconds: 86400
maxSessionTransferredBytes: 1073741824
banner: 'Welcome!'
shellHostName: myserver
softwareVersion: MyServer_1.0.0
```

### ssh.encryptionAlgorithms

`string[] = ['__INTERMEDIATE']`

List of encryption algorithms. Explicit algorithm names or macros (see below) can be used.

Currently supported algorithms are, with their macros:

__MODERN (secure) | |
---|---|

aes256-gcm@openssh.com | AES in GCM mode with 256-bit key |

aes128-gcm@openssh.com | AES in GCM mode with 128-bit key |

aes256-ctr | AES in CTR mode with 256-bit key |

aes192-ctr | AES in CTR mode with 192-bit key |

aes128-ctr | AES in CTR mode with 128-bit key |

chacha20-poly1305@openssh.com | ChaCha20/Poly1305 AEAD cipher with 256-bit key |

twofish256-ctr | Twofish in CTR mode with 256-bit key |

twofish192-ctr | Twofish in CTR mode with 192-bit key |

twofish128-ctr | Twofish in CTR mode with 128-bit key |

__INTERMEDIATE (best compatibility) | all of the above, plus: |
---|---|

aes256-cbc | AES in CBC mode with 256-bit key |

aes192-cbc | AES in CBC mode with 192-bit key |

aes128-cbc | AES in CBC mode with 128-bit key |

twofish256-cbc | Twofish in CBC mode with 256-bit key |

twofish192-cbc | Twofish in CBC mode with 192-bit key |

twofish128-cbc | Twofish in CBC mode with 128-bit key |

twofish-cbc | Twofish in CBC mode with 256-bit key |

3des-ctr | TripleDES in CTR mode |

3des-cbc | TripleDES in CBC mode |

__ALL (unsecure, not recommended) | all of the above, plus: |
---|---|

arcfour256 | ArcFour (RC4) stream cipher (with discard step) with 256-bit key |

arcfour128 | ArcFour (RC4) stream cipher (with discard step) with 128-bit key |

arcfour | ArcFour (RC4) stream cipher with 128-bit key |

blowfish-ctr | Twofish in CTR mode with 256-bit key |

blowfish-cbc | Blowfish in CBC mode with 128-bit key |

### ssh.hostKeyAlgorithms

`string[] = ['__INTERMEDIATE']`

List of host key algorithms.

__MODERN (secure) | |
---|---|

ssh-ed25519 | Ed25519, an Edwards-curve Digital Signature Algorithm (EdDSA) |

ecdsa-sha2-nistp521 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash |

ecdsa-sha2-nistp384 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash |

ecdsa-sha2-nistp256 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash |

ecdsa-sha2-1.3.132.0.10 | 2.11.0+Elliptic Curve Digital Signature Algorithm (ECDSA) on secp256k1 curve with SHA-256 hash. Supported on Windows 10+ and Windows Server 2016+. |

rsa-sha2-512 | RSA with SHA-512 hash |

ssh-rsa-sha256@ssh.com | RSA with SHA-256 hash |

rsa-sha2-256 | RSA with SHA-256 hash |

x509v3-ecdsa-sha2-nistp521 | 2.10.0+X.509 certificate with ECDSA on NIST P-521 curve and SHA-2 hash |

x509v3-ecdsa-sha2-nistp384 | 2.10.0+X.509 certificate with ECDSA on NIST P-384 curve and SHA-2 hash |

x509v3-ecdsa-sha2-nistp256 | 2.10.0+X.509 certificate with ECDSA on NIST P-256 curve and SHA-2 hash |

x509v3-rsa2048-sha256 | 2.10.0+X.509 certificate with 2048+ bit RSA and SHA-256 hash |

x509v3-sign-rsa-sha256@ssh.com | 2.10.0+X.509 certificate with RSA and SHA-256 hash |

__INTERMEDIATE (best compatibility) | all of the above, plus: |
---|---|

ssh-dss | NIST Digital Signature Algorithm (DSA) with SHA-1 hash |

ssh-rsa | RSA with SHA-1 hash |

x509v3-sign-rsa | 2.10.0+X.509 certificate with RSA and SHA-1 hash |

x509v3-sign-dss | 2.10.0+X.509 certificate with DSA and SHA-1 hash |

__ALL (unsecure, not recommended) | all of the above |
---|

### ssh.kexAlgorithms

`string[] = ['__INTERMEDIATE']`

List of key exchange algorithms.

__MODERN (secure) | ||
---|---|---|

curve25519-sha256 | 256 bits | Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash |

curve25519-sha256@libssh.org | 256 bits | Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash |

ecdh-sha2-nistp521 | 521 bits | Elliptic Curve Diffie Hellman with NIST P-521 curve and SHA-512 hash |

ecdh-sha2-nistp384 | 384 bits | Elliptic Curve Diffie Hellman with NIST P-384 curve and SHA-384 hash |

ecdh-sha2-nistp256 | 256 bits | Elliptic Curve Diffie Hellman with NIST P-256 curve and SHA-256 hash |

ecdh-sha2-1.3.132.0.10 | 256 bits | 2.11.0+Elliptic Curve Diffie Hellman with secp256k1 curve and SHA-256 hash. Supported on Windows 10+ and Windows Server 2016+. |

diffie-hellman-group16-sha512 | 4096 bits | Diffie Hellman with Oakley Group 16 and SHA-512 hash |

diffie-hellman-group15-sha512 | 3072 bits | Diffie Hellman with Oakley Group 15 and SHA-512 hash |

diffie-hellman-group-exchange-sha256 | Negotiated | Diffie Hellman with group exchange and SHA-256 hash |

__INTERMEDIATE (best compatibility) | all of the above, plus: | |
---|---|---|

diffie-hellman-group14-sha256 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-256 hash |

diffie-hellman-group14-sha1 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-1 hash |

diffie-hellman-group-exchange-sha1 | Negotiated | Diffie Hellman with group exchange and SHA-1 hash |

__ALL (unsecure, not recommended) | all of the above, plus: | |
---|---|---|

diffie-hellman-group1-sha1 | 1024 bits | Diffie Hellman with Oakley Group 2 and SHA-1 hash |

### ssh.macAlgorithms

`string[] = ['__INTERMEDIATE']`

List of MAC algorithms.

__MODERN (secure) | |
---|---|

hmac-sha2-512-etm@openssh.com | SHA-512 (ETM mode) |

hmac-sha2-256-etm@openssh.com | SHA-256 (ETM mode) |

hmac-sha2-512 | SHA-512 |

hmac-sha2-256 | SHA-256 |

__INTERMEDIATE (best compatibility) | all of the above, plus: |
---|---|

hmac-sha1 | SHA-1 |

hmac-sha1-96 | SHA-1 (trimmed to 96 bits) |

__ALL (unsecure, not recommended) | all of the above |
---|---|

hmac-md5 | MD5 |

hmac-md5-96 | MD5 (trimmed to 96 bits) |

### ssh.banner

`string`

Banner message displayed to clients before authentication.

### ssh.maxIdleDurationSeconds

`number = 86400`

(1 day)

Maximum session idle duration in seconds. When this duration expires, session is disconnected. Set the value to `0`

to disable.

### ssh.maxSessionDurationSeconds

`number = 86400`

(1 day)

Maximum session duration in seconds. When this duration expires, a session renegotiation occurs. Set the value to `0`

disable.

### ssh.maxSessionTransferredBytes

`number = 1073741824`

(1 GB)

Maximum number of bytes transferred during a session. When this value is reached, a session renegotiation occurs. Set the value to `0`

to disable.

### ssh.shellHostName

`string`

Server name visible to the clients.

### ssh.softwareVersion

`string`

Use custom software version in SSH protocol version exchange

## Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.