4.20.2.5. Configuring encryption parameters

The SSH proxy is able to enforce policies on the various elements of the encrypted SSH communication, such as the MAC, key-exchange, etc. algorithms that are permitted to be used. The parameters can be set separately for the client and for the server side. The attributes are represented as comma-separated strings listing the enabled methods/algorithms, in the order of preference.

Key exchange algorithms

The permitted key exchange algorithms can be specified via the client_kex_algos and server_kex_algos attributes. The SSH proxy supports the diffie-hellman-group16-sha512 and diffie-hellman-group18-sha512 and diffie-hellman-group14-sha256 and diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 algorithms.

Host key algorithms

The permitted host key algorithms can be specified via the client_hostkey_algos and server_hostkey_algos attributes. The supported algorithms are ssh-rsa, rsa-sha2-256, rsa-sha2-512 and ssh-dss.

Note

For a hostkey algorithm to work for the clients the corresponding private key has to be set in the host_key_rsa or the host_key_dss attribute. The supported algorithms are ssh-rsa, rsa-sha2-256, rsa-sha2-512 and ssh-dss.

Public key algorithms

The permitted public key algorithms can be specified via the client_pubkey_algos and server_pubkey_algos attributes. The supported algorithms are ssh-rsa, rsa-sha2-256, rsa-sha2-512 and ssh-dss.

Symmetric cipher algorithms

The permitted symmetric cipher algorithms can be specified via the client_cipher_algos and server_cipher_algos attributes. The following algorithms are supported: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com.

MAC algorithms

The permitted MAC algorithms can be specified via the client_mac_algos and server_mac_algos attributes. The supported algorithms are: hmac-sha2-256 and hmac-sha2-512 and hmac-sha1 and hmac-md5.