The following tables contain all the encryption algorithms you can configure One Identity Safeguard for Privileged Sessions (SPS) to recognize. If you use a configuration that is only partially supported, SPS might ignore the connection without warning.
NOTE: Do not use the CBC block cipher mode, or any sha1-based KEX, MAC, or host key algorithm, which are considered weak.
Key exchange algorithms
The default SPS configuration for both the client and the server is the following:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
The following key exchange (KEX) algorithms are recognized:
Figure 246: Key exchange (KEX) algorithms
| Key exchange (KEX) | Default | Comment |
|---|---|---|
| ecdh-sha2-nistp256 | ✔ | |
| ecdh-sha2-nistp384 | ✔ | |
| ecdh-sha2-nistp521 | ✔ | |
| diffie-hellman-group1-sha1 | - | Not recommended |
| diffie-hellman-group14-sha1 | - | Not recommended |
| diffie-hellman-group14-sha256 | ✔ | |
| diffie-hellman-group15-sha512 | - | |
| diffie-hellman-group16-sha512 | ✔ | |
| diffie-hellman-group17-sha512 | - | |
| diffie-hellman-group18-sha512 | ✔ | |
| diffie-hellman-group-exchange-sha256 | ✔ | |
| diffie-hellman-group-exchange-sha1 | - | Not recommended |
During an SSH session, SPS performs a key re-exchange after each gigabyte of transmitted data or after each hour of connection time, whichever comes sooner.
Cipher algorithms
The default SPS configuration for both the client and the server is the following:
aes128-ctr,aes192-ctr,aes256-ctr
The following cipher algorithms are recognized:
Figure 247: Cipher algorithms
| Cipher algorithm | Default | Comment |
|---|---|---|
| 3des-cbc | – | Not recommended |
| blowfish-cbc | – | Not recommended |
| twofish256-cbc | – | Not recommended |
| twofish-cbc | – | Not recommended |
| twofish192-cbc | – | Not recommended |
| twofish128-cbc | – | Not recommended |
| aes256-cbc | – | Not recommended |
| aes192-cbc | – | Not recommended |
| aes128-cbc | – | Not recommended |
| aes256-ctr | ✔ | |
| aes192-ctr | ✔ | |
| aes128-ctr | ✔ | |
| serpent256-cbc | – | Not recommended |
| serpent192-cbc | – | Not recommended |
| serpent128-cbc | – | Not recommended |
| arcfour | – | Not recommended |
| idea-cbc | – | Not recommended |
| cast128-cbc | – | Not recommended |
| none | – | Means no cipher algorithm; not recommended |
Message authentication code (MAC) algorithms
The default SPS configuration for both the client and the server is the following:
hmac-sha2-256,hmac-sha2-512
The following MAC algorithms are recognized:
Figure 248: Message Authentication Code (MAC) algorithms
| MAC | Default | Comment |
|---|---|---|
| hmac-sha1 | – | Not recommended |
| hmac-sha1-96 | – | Not recommended |
| hmac-md5 | – | Not recommended |
| hmac-md5-96 | – | Not recommended |
| hmac-sha2-256 | ✔ | |
| hmac-sha2-512 | ✔ |
SSH compression algorithms
The default SPS configuration for both the client and the server is the following:
none
The following SSH compression algorithms are recognized:
Figure 249: SSH compression algorithms
| SSH compression algorithm | Default | Comment |
|---|---|---|
| zlib | – | Not recommended |
| none | ✔ | Means no compression |
Host key algorithms
The default SPS configuration for both the client and the server is the following:
ecdsa-sha2-nistp256,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
The following host key algorithms are recognized:
Figure 250: Host key algorithms
| Host key algorithms | Default | Comment |
|---|---|---|
| ecdsa-sha2-nistp256 | ✔ | |
| ssh-ed25519 | ✔ | |
| rsa-sha2-512 | ✔ | |
| rsa-sha2-256 | ✔ | |
| ssh-rsa | ✔ |
Not recommended NOTE: The ssh-rsa public key signature algorithm that depends on SHA-1 is not recommended and will be disabled in a future release. |