Your browser does not allow storing cookies. We recommend enabling them.

SSH

Configuring Public Key Signature Algorithms

The public key signature algorithms to be used in client authentication can be selected in the sshd2_config file using the AuthPublicKey.Algorithms keyword. The keyword defines the public key signature algorithms that the server will propose and accept to authenticate the user. Using the keyword, it is possible to enable only certain hash functions, such as SHA-2. A message is signed with a hash generated using a signature algorithm and then verified by the receiver using the same signature algorithm. Multiple public key algorithms can be specified as a comma-separated list.

AuthPublicKey.Algorithms             ssh-dss-sha224@ssh.com

The client defines the order of public key signature algorithms. The client should have at least one algorithm in common with the server configuration. The supported signature algorithms are the following:

ssh-dssssh-rsa-sha384@ssh.com
ssh-dss-sha224@ssh.comssh-rsa-sha512@ssh.com
ssh-dss-sha256@ssh.comx509v3-sign-rsa
ssh-dss-sha384@ssh.comx509v3-sign-rsa-sha224@ssh.com
ssh-dss-sha512@ssh.comx509v3-sign-rsa-sha256@ssh.com
x509v3-sign-dssx509v3-sign-rsa-sha384@ssh.com
x509v3-sign-dss-sha224@ssh.comx509v3-sign-rsa-sha512@ssh.com
x509v3-sign-dss-sha256@ssh.comecdsa-sha2-nistp256
x509v3-sign-dss-sha384@ssh.comecdsa-sha2-nistp384
x509v3-sign-dss-sha512@ssh.comecdsa-sha2-nistp521
ssh-rsax509v3-ecdsa-sha2-nistp256
ssh-rsa-sha224@ssh.comx509v3-ecdsa-sha2-nistp384
ssh-rsa-sha256@ssh.comx509v3-ecdsa-sha2-nistp521

Special values for this option are the following:

  • Any: includes all supported signature algorithms.

  • AnyStd: includes the following signature algorithms from the IETF SSH standards: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, x509v3-ecdsa-sha2-nistp521, x509v3-sign-dss, x509v3-sign-rsa, ssh-dss, and ssh-rsa.

  • AnyPublicKeyAlgorithm: the same as Any.

  • AnyStdPublicKeyAlgorithm: the same as AnyStd.

The default public key signature algorithms are:

ecdsa-sha2-nistp256ssh-rsa-sha256@ssh.com
ecdsa-sha2-nistp384ssh-dss
ecdsa-sha2-nistp521ssh-dss-sha256@ssh.com
x509v3-ecdsa-sha2-nistp256x509v3-sign-dss
x509v3-ecdsa-sha2-nistp384x509v3-sign-dss-sha256@ssh.com
x509v3-ecdsa-sha2-nistp521x509v3-sign-rsa
ssh-rsax509v3-sign-rsa-sha256@ssh.com


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more