openSSH: configure ciphers.

Damien Miller djm at mindrot.org
Tue Jan 9 11:14:28 EST 2001


On Mon, 8 Jan 2001, Sunil K. Vallamkonda wrote:

 
> thank you for your email.
> Yes, I got this list from ssh communications.
> Question is: Is there a similar list for openSSH ?

The manpage lists a few - recent snapshots include a more complete list.

> > There are no compile-time configuration options to toggle these on and
> > off.  You can specify which to use at run time or in configuration using
> > 'Cipher' and 'Ciphers'.
> >
> Does it mean at server side there is no compile-time/run-time
> option to specify list of ciphers to accept from a client ?

Read the above paragraph again - you can use the 'Cipher' (for SSH1) and
'Ciphers' (for SSH2) to select which cipher will be used by the client.

You can also use 'Ciphers' to specify which ciphers the server will accept.

> I find that in SSH Transport Layer Protocol doc:
> http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-08.txt:
> 
>   3des-cbc         REQUIRED          three-key 3DES in CBC mode
>   blowfish-cbc     RECOMMENDED       Blowfish in CBC mode
>   twofish-cbc      RECOMMENDED       Twofish in CBC mode
>   aes256-cbc       RECOMMENDED       AES (Rijndael) in CBC mode,
>                                      with 256-bit key
>   aes192-cbc       OPTIONAL          AES with 192-bit key
>   <..clipped..>
> 
> 
> Is this for SSH1 and SSH2 ?

SSH2. 

> Does RECOMMENDED mean "MUST" ?

No, REQUIRED = MUST.

This is a list of the ciphers that OpenSSH implements:

SSH1
----

3DES (default)
Blowfish
DES (client only, must be explicitly selected)

SSH2
----

3des-cbc
blowfish-cbc
cast128-cbc
arcfour
aes128-cbc (a.k.a rijndael128-cbc)
aes192-cbc (a.k.a rijndael192-cbc)
aes256-cbc (a.k.a rijndael256-cbc)

-d

-- 
| ``We've all heard that a million monkeys banging on | Damien Miller -
| a million typewriters will eventually reproduce the | <djm at mindrot.org>
| works of Shakespeare. Now, thanks to the Internet, / 
| we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org







More information about the openssh-unix-dev mailing list