Listener Encryption Settings (SSH)

To locate the SSH listener encryption settings, click Server > Listeners. Select the IP address of the listener you want to open and click Edit SSH Settings.

Select host keys for your specific security requirements and preferences.
  • RSA host key. Displays the RSA host key applied to the current listener. Host keys are offered to the client by the server to prove the server's identity. To select an RSA host key, click Select.
  • ECDSA host key. Displays the ECDSA host key applied to the current listener. Host keys are offered to the client by the server to prove the server's identity. To select an ECDSA host key, click Select.
  • EdDSA host key. Displays the EdDSA host key applied to the current listener. Host keys are offered to the client by the server to prove the server's identity. To select an EdDSA host key, click Select.

Ciphers, Message Authentication Codes (MAC), and Key Exchange (KEX) Algorithms associated with this listener

The ciphers, MACs, and KEX algorithms negotiate SSH connections with the remote SSH server. The Cipher, MAC, and KEX algorithm lists allow you to choose which encryption algorithms are permissible, and the order of preference.

Cipher
Ciphers are used to encrypt packets sent between the client and server.
MAC
MACs are used to verify the integrity of packets sent between a client and server.
KEX algorithm
KEX algorithms are used to securely generate and exchange a shared symmetric key that is being used for packets encryption.
  • Cipher name/MAC name/KEX name. The name of the cipher, MAC, or KEX algorithm.
  • Priority. Ciphers, MACS, and KEX algorithms are listed in order of preference. To reorder the priority, select the item and click Move Up or Move Down.
  • Add. Click to add a cipher, MAC, or KEX algorithm to this listener.
  • Remove. Click to remove the selected cipher, MAC, or KEX algorithm from the list.
The following ciphers, MACs, and KEX algorithms are enabled by default. Less secure ciphers, MACs, and KEX algorithms are disabled by default on new and upgrade installations.
Warning: To protect transactions against the Terrapin SSH vulnerability, all cbc ciphers should be disabled when using any encrypt-then-mac (-etm@openssh.com) MAC algorithms.

Type

Group

List

Cipher

AES
  • aes128-gcm@openssh.com
  • aes256-gcm@openssh.com
  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
Supported on upgrades if already enabled. Disabled on new installations.
  • aes256-cbc
  • aes128-cbc

MAC

HMAC
  • hmac-sha2-256
  • hmac-sha2-384
  • hmac-sha2-512
Enabled on new installations. Disabled on upgrades if cbc ciphers are enabled.
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com

KEX

DIFFIE-HELLMAN
  • diffie-hellman-group16-sha512
  • diffie-hellman-group18-sha512

ECDH
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp512

Other Settings

  • Use zlib compression (selected by default). If selected, the server will compress any communication sent from this listener to a client, reducing bandwidth consumption.
  • Force key re-exchange. If selected, the server requires the client to renegotiate the SSH encryption keys after 1GB of data is transferred or an hour passes, whichever comes first. If the client fails to renegotiate the keys properly, the connection is closed.
    Note: If Force key re-exchange is cleared, the server still negotiates new keys at the client's request.
  • Authentication method. Select the user authentication methods to allow for this listener. The SSH service must be restarted before any changes to the authentication method become active.
    • Password (selected by default). If selected, this listener will accept password authentication.
    • Public key (selected by default). If selected, this listener will accept public key authentication. For public key authentication to work, you must also associate a key with each user who will use this authentication method.