Supported Algorithms

AbsoluteTelnet/ssh supports an extensive set of crypto algorithms to connect to just about ANY modern standard compliant SSH server. Through configuration, users are able to enable or disable individual algorithms or change their order of preference. Occasionally, older algorithms will be DEPRECATED and may be flagged as such in newer versions or removed from the software entirely.

DEFINITIONS:
Supported Algorithms: All algorithms supported in AbsoluteTelnet/ssh code. NEW algorithms can only be added in newer versions of the software. See algorithm lists below.
Deprecated Algorithms: Algorithms formally or informally discouraged from use, either by documented standard or general consensus. Only new versions of the software can move algorithms into this category.
Disabled Algorithms: Algorithms that won’t be used during connection. Initially, all deprecated algorithms are also disabled, but as a user option, you can control which are disabled or enabled. As of Version 12.17, Absolute will recommend re-enabling a disabled algorithm but only when absolutely necessary for backward compatibility to older servers.
Compatible Algorithms: Decided at connection time, the client and server decide which algorithms will be used. If a compatible set can’t be found, the connection terminates.
Preferred Algorithms: Algorithm preference is determined by the ORDER in which they appear in their respective list. Generally, the more secure and faster algorithms are at the top of the list and slower, deprecated or disabled algorithms appear at the bottom. The lists here are the APPLICATION DEFAULT lists, though through configuration, lists can be re-ordered and individual algorithms can be disabled for any connection.

As of version 12.17, Absolute supports the following algorithms in each category.

Algorithm	Default Status	Deprecated?	Version when introduced
aes128-ctr	Enabled		7.18
aes192-ctr	Enabled		7.18
aes256-ctr	Enabled		7.18
aes128-cbc	Enabled		2.12
aes192-cbc	Enabled		7.18
aes256-cbc	Enabled		3.0
blowfish-cbc	Enabled		1
twofish256-cbc	Enabled		3.0
twofish128-cbc	Enabled		2.12
cast128-cbc	Enabled		1
3des-ctr	Enabled		7.18
3des-cbc	Enabled		1
arcfour	Disabled	Yes	1
arcfour256	Disabled	Yes	7.18

Algorithm	Default Status	Deprecated	Version when introduced
ssh-ed25519	Enabled		11.07
ecdsa-sha2-nistp521	Enabled		11.21
ecdsa-sha2-nistp384	Enabled		11.21
ecdsa-sha2-nistp256	Enabled		11.21
rsa-sha2-512	Enabled		11.29
rsa-sha2-256	Enabled		11.29
ssh-rsa	Enabled		1
ssh-dss	Enabled		1

Algorithm	Default Status	Deprecated?	Version when introduced
ecdh-sha2-nistp521	Enabled		11.21
ecdh-sha2-nistp384	Enabled		11.21
ecdh-sha2-nistp256	Enabled		11.21
diffie-hellman-group18-sha512	Enabled		11.07
diffie-hellman-group16-sha512	Enabled		11.07
diffie-hellman-group14-sha256	Enabled		11.07
diffie-hellman-group-exchange-sha256	Enabled		10.12
diffie-hellman-group14-sha1	Enabled	Yes	1
diffie-hellman-group-exchange-sha1	Disabled	Yes	1
diffie-hellman-group1-sha1	Disabled	Yes	1

Algorithm	Default Status	Deprecated?	Version when introduced
hmac-sha2-512	Enabled		10.12
hmac-sha2-512-etm@openssh.com	Enabled		11.41
hmac-sha2-256	Enabled		10.12
hmac-sha2-256-etm@openssh.com	Enabled		11.41
hmac-sha1	Enabled	Yes	1
hmac-sha1-etm@openssh.com	Enabled	Yes	11.41
hmac-sha1-96	Enabled	Yes	1
hmac-sha1-96-etm@openssh.com	Disabled	Yes	11.41
hmac-md5	Disabled	Yes	1
hmac-md5-etm@openssh.com	Disabled	Yes	11.41
hmac-md5-96	Disabled	Yes	1
hmac-md5-96-etm@openssh.com	Disabled	Yes	11.41

Document	Description
https://datatracker.ietf.org/doc/rfc4253	Original SSH documentation for which algorithms are REQUIRED, RECOMMENDED, or OPTIONAL.
https://datatracker.ietf.org/doc/rfc9142	Updated guidance for key exchange algorithms
https://datatracker.ietf.org/doc/rfc8758	Formal deprecation of ARCFOUR in SSH
https://csrc.nist.gov/news/2023/nist-to-withdraw-sp-800-67-rev-2	NIST “Disallows” use of 3des after December 31, 2023. However, according to RFC4253, it is ‘REQUIRED’ so until it’s formally deprecated for SSH, we’ll lower it in preference order but leave it enabled. In practice, most servers now implement the more preferred AES.