Configuring Ciphers and MACs

The client and server support the same keywords for configuring ciphers and MACs. Configure client keywords in ssh2_config. Configure server keywords in sshd2_config.

Keyword	Values
Ciphers	Allowed values are 'aes128-ctr', 'aes128-cbc', 'aes192-ctr', 'aes192-cbc', 'aes256-ctr', 'aes256-cbc', 'blowfish-cbc', 'arcfour', 'arcfour128', 'arcfour256', 'cast128-cbc', and '3des-cbc'. You can also set this value to 'one'. When 'none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended. The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), and 'AnyCipher' or 'AnyStdCipher' (all available ciphers). The default is 'AnyStdCipher'.
MACs	Allowed values are 'hmac-sha256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96', 'hmac-sha512', and 'hmac-ripemd160'. Use 'AnyMac' to support all of these. Use 'AnyStdMac' to specify 'hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyStdMac' plus 'none'). When 'none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include 'none' are not recommended.

Keyword

Values

Ciphers

Allowed values are 'aes128-ctr', 'aes128-cbc', 'aes192-ctr', 'aes192-cbc', 'aes256-ctr', 'aes256-cbc', 'blowfish-cbc', 'arcfour', 'arcfour128', 'arcfour256', 'cast128-cbc', and '3des-cbc'. You can also set this value to 'one'. When 'none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), and 'AnyCipher' or 'AnyStdCipher' (all available ciphers).

The default is 'AnyStdCipher'.

MACs

Allowed values are 'hmac-sha256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96', 'hmac-sha512', and 'hmac-ripemd160'. Use 'AnyMac' to support all of these. Use 'AnyStdMac' to specify 'hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyStdMac' plus 'none'). When 'none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include 'none' are not recommended.

Ciphers can also be configured on the ssh, scp, and sftp command line using -c. For example:

ssh -c blowfish-cbc joe@remote.com

MACs can also be configured on the ssh and sftp command line using -m. For example:

sftp -m hmac-md5 joe@remote.com