Skip to content

Latest commit

 

History

History
150 lines (120 loc) · 10.9 KB

standards.md

File metadata and controls

150 lines (120 loc) · 10.9 KB

Supported standards

Reference implementation documentation

OpenSSH

Note: some implementations may be limited to client-side - i.e., we provide a capability for the client to detect if the server supports the extension and then use it, but our server does not publish it as being supported.

Section Extension Client Server
4.3 [email protected] Yes Yes
4.4 [email protected] Yes Yes
4.4 [email protected] Yes Yes
4.5 [email protected] Yes Yes
4.6 [email protected] Yes Yes
4.7 [email protected] Yes Yes
4.8 [email protected] Yes Yes
4.10 copy-data Yes Yes

SFTP version 3-6 + extensions

Miscellaneous

Implemented/available support

Authentication methods

Ciphers

Digests

  • md5, sha1, sha224, sha256, sha384, sha512

Macs

Key exchange

  • diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256 , diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 , ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256, [email protected], curve448-sha512

  • If Bouncy Castle is present, the following post-quantum cryptography (PQC) hybrid key exchanges are also supported: sntrup761x25519-sha512, [email protected], mlkem768x25519-sha256, mlkem768nistp256-sha256, and mlkem1024nistp384-sha384.

Compressions

Signatures/Keys

Note: The above list contains all the supported security settings in the code. However, in accordance with the latest recommendations the default client/server setup includes only the security settings that are currently considered safe to use. Users who wish to include the unsafe settings must do so explicitly. The following settings have been deprecated and are no longer included in the default setup:

Caveat:: According to RFC 8332 - section 3.31

Implementation experience has shown that there are servers that apply authentication penalties to clients attempting public key algorithms that the SSH server does not support.

When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties. When the new rsa-sha2-* algorithms have been sufficiently widely adopted to warrant disabling "ssh-rsa", clients MAY default to one of the new algorithms.

This means that users that encounter this (and related) problems must modify the supported security settings explicitly in order to avoid the issue.

Special notice: ssh-rsa was left in as part of the default setup since there are still a lot of systems / users using it. However, in future version it will be removed from the default. We therefore strongly encourage users to migrate to other keys (e.g. ECDSA, ED25519) as soon as possible.