Configuring Ciphers and MACs

The client and server support the same keywords for configuring ciphers and MACs. Configure client keywords in ssh2_config. Configure server keywords in sshd2_config.




Allowed values are `aes128-ctr', `aes128-cbc', `aes192-ctr', `aes192-cbc', `aes256-ctr', `aes256-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `cast128-cbc', and `3des-cbc'. You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: `aes' (all supported aes ciphers), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers).

The default is `AnyStdCipher'.



Allowed values are `hmac-sha256', `hmac-sha1', `hmac-sha1-96', `hmac-md5', `hmac-md5-96', `hmac-sha512', and `hmac-ripemd160'. Use `AnyMac' to support all of these. Use `AnyStdMac' to specify `hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are `none', `any' (equivalent to AnyMac plus `none'), and `AnyStd' (equivalent to `AnyStdMac' plus `none'). When `none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include `none' are not recommended.


Ciphers can also be defined on the ssh, scp, and sftp command line using -c. For example:

ssh -c blowfish-cbc

MACs can also be defined on the ssh and sftp command line using -m. For example:

sftp -m hmac-md5

Related Topics


Data Integrity

Client Configuration Files

Server Configuration Files