Your browser does not allow storing cookies. We recommend enabling them.


Configuring Host Key Signature Algorithms

The host key signature algorithms to be used in server authentication and host-based authentication can be selected in the sshd2_config file using the HostKeyAlgorithms keyword. The keyword defines the host key signature algorithms that the server will propose and accept to authenticate the host. Using the keyword, it is possible to enable only certain hash functions, such as SHA-2. A message is signed with a hash generated using a signature algorithm and then verified by the receiver using the same signature algorithm. Multiple host key algorithms can be specified as a comma-separated list.


The system will attempt to use the different signature algorithms in the sequence they are specified on the line. The client should have at least one algorithm in common with the server configuration. The supported signature algorithms are the following:


Special values for this option are the following:

  • Any: allows all the host key signature algorithms

  • AnyStd: allows only the signature algorithms mentioned in the IETF Secsh draft. They are x509v3-sign-dss, x509v3-sign-rsa, ssh-dss and ssh-rsa.

  • AnyHostKeyAlgorithm: the same as Any.

  • AnyStdHostKeyAlgorithm: the same as AnyStd.

The default host key signature algorithms are:





What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now