search cancel

PAM default and supported Cipher Suites for SSH Proxy and SSH Mindterm

book

Article ID: 216770

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

What are the Cipher Suites (Cryptography configuration), i.e. the Ciphers, Hash, Key-Exchange, Compression and Server Host Key, that are supported by PAM for SSH Access? And what are the default configuration?

Environment

Release : 3.4.2, 3.4.3 and later

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

To find default SSH Mindterm and SSH Proxy Cipher Suites, you can go to Configuration > Security > Cryptography > SSH Proxy/SSH Mindterm page and select the *Use Default* box. The Cipher Suites will be populated in each Cipher/Hash/Key Exchange/Compression/Server Host Key box. They are grayed out, but you can highlight them and copy paste to a notepad.

To find supported SSH Mindterm and SSH Proxy Cipher Suites, click the 'eye' icon to the leave of each Cipher/Hash/Key Exchange/Compression/Server Host Key box.

As of this article is written, here are the default and supported Cipher Suites

A. SSH Proxy

Default Cipher:
[email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr

Supported Cipher:
[email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr 

Default Hash:
hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],[email protected]

Supported Hash:
hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha1,hmac-md5-96,hmac-md5   

Default Key Exchange:
ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

Supported Key Exchange:
ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,curve25519-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

Default Compression:
none,[email protected],zlib

Supported Compression:
none,[email protected],zlib 

Default Server Host Key:
ssh-rsa

Supported Server Host Key:
ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,[email protected],[email protected],[email protected],[email protected],[email protected]   

B. SSH Mindterm

Default Cipher:
aes128-ctr,aes256-ctr,aes192-ctr,aes128-cbc,aes256-cbc,aes192-cbc

Supported Cipher:
aes128-ctr,aes256-ctr,aes192-ctr,aes128-cbc,aes256-cbc,aes192-cbc,3des-ctr,3des-cbc,blowfish-cbc,blowfish-ctr,arcfour256,arcfour128,arcfour    

Default Hash:
hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],[email protected]

Supported Hash:
hmac-sha2-512,hmac-sha2-256,[email protected],[email protected],[email protected],hmac-sha1,hmac-sha1-96,hmac-md5-96,hmac-md5 

Default Key Exchange:
ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha1

Supported Key Exchange:
ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

Default Compression:
none,[email protected],zlib

Supported Compression:
none,[email protected],zlib  

Default Server Host Key:
ssh-rsa

Supported Server Host Key:
ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ssh-dss  

Attachments