The following tables contain all the encryption algorithms you can configure One Identity Safeguard for Privileged Sessions (SPS) to recognize. If you use a configuration that is only partially supported, SPS might ignore the connection without warning.
|
|
NOTE:
Do not use the CBC block cipher mode, or the diffie-hellman-group1-sha1 key exchange algorithm. |
Key exchange algorithms
The default SPS configuration for both the client and the server is the following:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
The following key exchange (KEX) algorithms are recognized:
| Key exchange (KEX) | Default | Comment |
|---|---|---|
| diffie-hellman-group1-sha1 | – | Not recommended |
| diffie-hellman-group14-sha1 | ✔ | |
| diffie-hellman-group-exchange-sha1 | ✔ | |
| diffie-hellman-group-exchange-sha256 | ✔ |
Cipher algorithms
The default SPS configuration for both the client and the server is the following:
aes128-ctr,aes192-ctr,aes256-ctr
The following cipher algorithms are recognized:
| Cipher algorithm | Default | Comment |
|---|---|---|
| 3des-cbc | – | Not recommended |
| blowfish-cbc | – | Not recommended |
| twofish256-cbc | – | Not recommended |
| twofish-cbc | – | Not recommended |
| twofish192-cbc | – | Not recommended |
| twofish128-cbc | – | Not recommended |
| aes256-cbc | – | Not recommended |
| aes192-cbc | – | Not recommended |
| aes128-cbc | – | Not recommended |
| aes256-ctr | ✔ | |
| aes192-ctr | ✔ | |
| aes128-ctr | ✔ | |
| serpent256-cbc | – | Not recommended |
| serpent192-cbc | – | Not recommended |
| serpent128-cbc | – | Not recommended |
| arcfour | – | Not recommended |
| idea-cbc | – | Not recommended |
| cast128-cbc | – | Not recommended |
| none | – | Means no cipher algorithm; not recommended |
Message authentication code (MAC) algorithms
The default SPS configuration for both the client and the server is the following:
hmac-sha2-256,hmac-sha2-512
The following MAC algorithms are recognized:
| MAC | Default |
|---|---|
| hmac-sha1 | – |
| hmac-sha1-96 | – |
| hmac-md5 | – |
| hmac-md5-96 | – |
| hmac-sha2-256 | ✔ |
| hmac-sha2-512 | ✔ |
SSH compression algorithms
The default SPS configuration for both the client and the server is the following:
none
The following SSH compression algorithms are recognized:
| SSH compression algorithm | Default | Comment |
|---|---|---|
| zlib | – | |
| none | ✔ | Means no compression |
Host key algorithms
The SPS configuration for both the client and the server is the following:
rsa-sha2-512,rsa-sha2-256,ssh-rsa
This list cannot be configured.