The ssh client cipher command configures an encryption algorithm list for an SSH client.
The undo ssh client cipher command restores the default configuration.
By default, all encryption algorithms except des_cbc are in the encryption algorithm list configured for an SSH client.
ssh client cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *
undo ssh client cipher
| Parameter | Description | Value |
|---|---|---|
3des_cbc |
Adds the 3DES-CBC encryption algorithm to an encryption algorithm list. |
- |
aes128_cbc |
Adds the AES128-CBC encryption algorithm to an encryption algorithm list. |
- |
aes128_ctr |
Adds the AES128-CTR encryption algorithm to an encryption algorithm list. |
- |
aes256_cbc |
Adds the AES256-CBC encryption algorithm to an encryption algorithm list. |
- |
aes256_ctr |
Adds the AES256-CTR encryption algorithm to an encryption algorithm list. |
- |
des_cbc |
Adds the DES-CBC encryption algorithm to an encryption algorithm list. |
- |
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh client cipher command to configure an encryption algorithm list for an SSH client. After the list is configured, the client sends a packet carrying it to the server. Upon receipt of the packet, the server matches the list against the local list and selects the first encryption algorithm that matches the local list. If no encryption algorithms in the list of the client match the local list, the negotiation fails.
Precautions
aes256_ctr provides the highest security, followed by aes128_ctr, aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc in order.
Do not add aes256_cbc, aes128_cbc, des_cbc or 3des_cbc to the list because they provide the lowest security among the supported encryption algorithms. aes128_ctr and aes256_ctr encryption algorithms have been added to the list in the factory configuration file.