Supported Algorithms

AbsoluteTelnet/ssh supports an extensive set of crypto algorithms to connect to just about ANY modern standard compliant SSH server. Through configuration, users are able to enable or disable individual algorithms or change their order of preference. Occasionally, older algorithms will be DEPRECATED and may be flagged as such in newer versions or removed from the software entirely.

DEFINITIONS:
Supported Algorithms: All algorithms supported in AbsoluteTelnet/ssh code. NEW algorithms can only be added in newer versions of the software. See algorithm lists below.
Deprecated Algorithms: Algorithms formally or informally discouraged from use, either by documented standard or general consensus. Only new versions of the software can move algorithms into this category.
Disabled Algorithms: Algorithms that won’t be used during connection. Initially, all deprecated algorithms are also disabled, but as a user option, you can control which are disabled or enabled. As of Version 12.17, Absolute will recommend re-enabling a disabled algorithm but only when absolutely necessary for backward compatibility to older servers.
Compatible Algorithms: Decided at connection time, the client and server decide which algorithms will be used. If a compatible sent can’t be found, the connection terminates.
Preferred Algorithms: Algorithm preference is determined by the ORDER in which they appear in their respective list. Generally, the more secure and faster algorithms are at the top of the list and slower, deprecated or disabled algorithms appear at the bottom. The lists here are the APPLICATION DEFAULT lists, though through configuration, lists can be re-ordered and individual algorithms can be disabled for any connection.

As of version 12.17, Absolute supports the following algorithms in each category.

Encryption Algorithms

AlgorithmDefault StatusDeprecated?Version when introduced
aes128-ctrEnabled7.18
aes192-ctrEnabled7.18
aes256-ctrEnabled7.18
aes128-cbcEnabled2.12
aes192-cbcEnabled7.18
aes256-cbcEnabled3.0
blowfish-cbcEnabled1
twofish256-cbcEnabled3.0
twofish128-cbcEnabled2.12
cast128-cbcEnabled1
3des-ctrEnabled7.18
3des-cbcEnabled1
arcfour DisabledYes1
arcfour256DisabledYes7.18

Host Key Algorithms

AlgorithmDefault StatusDeprecatedVersion when introduced
ssh-ed25519Enabled11.07
ecdsa-sha2-nistp521Enabled11.21
ecdsa-sha2-nistp384Enabled11.21
ecdsa-sha2-nistp256Enabled11.21
rsa-sha2-512Enabled11.29
rsa-sha2-256Enabled11.29
ssh-rsaEnabled1
ssh-dssEnabled1

Key Exchange Algorithms

AlgorithmDefault StatusDeprecated?Version when introduced
ecdh-sha2-nistp521Enabled11.21
ecdh-sha2-nistp384Enabled11.21
ecdh-sha2-nistp256Enabled11.21
diffie-hellman-group18-sha512Enabled11.07
diffie-hellman-group16-sha512Enabled11.07
diffie-hellman-group14-sha256Enabled11.07
diffie-hellman-group-exchange-sha256Enabled10.12
diffie-hellman-group14-sha1EnabledYes1
diffie-hellman-group-exchange-sha1DisabledYes1
diffie-hellman-group1-sha1DisabledYes1

MAC Algorithms

AlgorithmDefault StatusDeprecated?Version when introduced
hmac-sha2-512Enabled10.12
hmac-sha2-512-etm@openssh.comEnabled11.41
hmac-sha2-256Enabled10.12
hmac-sha2-256-etm@openssh.comEnabled11.41
hmac-sha1EnabledYes1
hmac-sha1-etm@openssh.comEnabledYes11.41
hmac-sha1-96EnabledYes1
hmac-sha1-96-etm@openssh.comDisabledYes11.41
hmac-md5DisabledYes1
hmac-md5-etm@openssh.comDisabledYes11.41
hmac-md5-96DisabledYes1
hmac-md5-96-etm@openssh.comDisabledYes11.41

Related standards

DocumentDescription
https://datatracker.ietf.org/doc/rfc4253Original SSH documentation for which algorithms are REQUIRED, RECOMMENDED, or OPTIONAL.
https://datatracker.ietf.org/doc/rfc9142Updated guidance for key exchange algorithms
https://datatracker.ietf.org/doc/rfc8758Formal deprecation of ARCFOUR in SSH
https://csrc.nist.gov/news/2023/nist-to-withdraw-sp-800-67-rev-2NIST “Disallows” use of 3des after December 31, 2023. However, according to RFC4253, it is ‘REQUIRED’ so until it’s formally deprecated for SSH, we’ll lower it in preference order but leave it enabled. In practice, most servers now implement the more preferred AES.

Leave a Comment

Your email address will not be published. Required fields are marked *