11.6. Supported encryption algorithms

The following tables contain all the encryption algorithms you can configure PSM to recognize. If you use a configuration that is only partially supported, PSM might ignore the connection without warning.

Note

Do not use the CBC block cipher mode, or the diffie-hellman-group1-sha1 key exchange algorithm.

Key exchange algorithms: 

The default PSM configuration for both the client and the server is the following:

diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

The following key exchange (KEX) algorithms are recognized:

Key exchange (KEX)DefaultComment
diffie-hellman-group1-sha1Not recommended
diffie-hellman-group14-sha1 
diffie-hellman-group-exchange-sha1 
diffie-hellman-group-exchange-sha256 

Table 11.2. Key exchange (KEX) algorithms

Cipher algorithms: 

The default PSM configuration for both the client and the server is the following:

aes128-ctr,aes192-ctr,aes256-ctr

The following cipher algorithms are recognized:

Cipher algorithmDefaultComment
3des-cbcNot recommended
blowfish-cbcNot recommended
twofish256-cbcNot recommended
twofish-cbcNot recommended
twofish192-cbcNot recommended
twofish128-cbcNot recommended
aes256-cbcNot recommended
aes192-cbcNot recommended
aes128-cbcNot recommended
aes256-ctr 
aes192-ctr 
aes128-ctr 
serpent256-cbcNot recommended
serpent192-cbcNot recommended
serpent128-cbcNot recommended
arcfourNot recommended
idea-cbcNot recommended
cast128-cbcNot recommended
noneMeans no cipher algorithm; not recommended

Table 11.3. Cipher algorithms

Message authentication code (MAC) algorithms: 

The default PSM configuration for both the client and the server is the following:

hmac-sha2-256,hmac-sha2-512

The following MAC algorithms are recognized:

MACDefault
hmac-sha1
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-sha2-256
hmac-sha2-512

Table 11.4. Message Authentication Code (MAC) algorithms

SSH compression algorithms: 

The default PSM configuration for both the client and the server is the following:

none

The following SSH compression algorithms are recognized:

SSH compression algorithmDefaultComment
zlib 
noneMeans no compression

Table 11.5. SSH compression algorithms