4.2.1 SSH Ciphers in Connector/NET

This section includes the approved, deprecated, and invalid sets of SSH ciphers maintained by Connector/NET. The inclusion of ciphers and algorithms in the various lists can change over time.

Approved SSH Ciphers

Approved SSH ciphers and algorithms by category include:

Encryptions
- aes128-ctr
- aes192-ctr
- aes256-ctr
Host Key Algorithms
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-ed25519
Key Exchange Algorithms
- diffie-hellman-group-exchange-sha256
Keyed Hash Message Authentication Codes
- hmac-sha2-256
- hmac-sha2-256-96
- hmac-sha2-512
- hmac-sha2-512-96

Deprecated SSH Ciphers

Deprecated SSH ciphers and algorithms are available for legacy and interoperability purposes only. These items are subject to gradual phaseout (see Invalid SSH Ciphers).

The current set of deprecated ciphers and algorithms by category are:

Encryptions
- aes128-cbc
- aes192-cbc
- aes256-cbc
Host Key Algorithms
- ssh-rsa
Key Exchange Algorithms
- diffie-hellman-group14-sha1
Keyed Hash Message Authentication Codes
- hmac-sha1

Invalid SSH Ciphers

The following SSH ciphers and algorithms (by category) are no longer permitted:

Encryptions
- 3des-cbc
- arcfour
- arcfour128
- arcfour256
- blowfish-cbc
- cast128-cbc
- twofish-cbc
- twofish192-cbc
- twofish128-cbc
- twofish256-cbc
Host Key Algorithms
- ssh-dss
Key Exchange Algorithms
- diffie-hellman-group-exchange-sha1
- diffie-hellman-group1-sha1
Keyed Hash Message Authentication Codes
- hmac-md5
- hmac-md5-96
- hmac-ripemd160
- hmac-ripemd160@openssh.com
- hmac-sha1-96