SSH

Configuring Host Key Signature Algorithms

The host key signature algorithms to be used in server authentication and host-based authentication can be selected in the sshd2_config file using the HostKeyAlgorithms keyword. The keyword defines the host key signature algorithms that the server will propose and accept to authenticate the host. Using the keyword, it is possible to enable only certain hash functions, such as SHA-2. A message is signed with a hash generated using a signature algorithm and then verified by the receiver using the same signature algorithm. Multiple host key algorithms can be specified as a comma-separated list.

HostKeyAlgorithms             ssh-dss-sha224@ssh.com

The system will attempt to use the different signature algorithms in the sequence they are specified on the line. The client should have at least one algorithm in common with the server configuration. The supported signature algorithms are the following:

ssh-dssssh-rsa-sha384@ssh.com
ssh-dss-sha224@ssh.comssh-rsa-sha512@ssh.com
ssh-dss-sha256@ssh.comx509v3-sign-rsa
ssh-dss-sha384@ssh.comx509v3-sign-rsa-sha224@ssh.com
ssh-dss-sha512@ssh.comx509v3-sign-rsa-sha256@ssh.com
x509v3-sign-dssx509v3-sign-rsa-sha384@ssh.com
x509v3-sign-dss-sha224@ssh.comx509v3-sign-rsa-sha512@ssh.com
x509v3-sign-dss-sha256@ssh.comecdsa-sha2-nistp256
x509v3-sign-dss-sha384@ssh.comecdsa-sha2-nistp384
x509v3-sign-dss-sha512@ssh.comecdsa-sha2-nistp521
ssh-rsax509v3-ecdsa-sha2-nistp256
ssh-rsa-sha224@ssh.comx509v3-ecdsa-sha2-nistp384
ssh-rsa-sha256@ssh.comx509v3-ecdsa-sha2-nistp521

Special values for this option are the following:

  • Any: includes all supported host key signature algorithms.

  • AnyStd: includes the following signature algorithms from the IETF SSH standards: x509v3-sign-dss, x509v3-sign-rsa, ssh-dss, ssh-rsa, x509v3-ecdsa-sha2-nistp521, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp256, ecdsa-sha2-nistp521, ecdsa-sha2-nistp384, and ecdsa-sha2-nistp256.

  • AnyHostKeyAlgorithm: the same as Any.

  • AnyStdHostKeyAlgorithm: the same as AnyStd.

The default host key signature algorithms are:

ecdsa-sha2-nistp256ssh-rsa-sha256@ssh.com
ecdsa-sha2-nistp384ssh-dss
ecdsa-sha2-nistp521ssh-dss-sha256@ssh.com
x509v3-ecdsa-sha2-nistp256x509v3-sign-dss
x509v3-ecdsa-sha2-nistp384x509v3-sign-dss-sha256@ssh.com
x509v3-ecdsa-sha2-nistp521x509v3-sign-rsa
ssh-rsax509v3-sign-rsa-sha256@ssh.com