Use this command to list the allowed encryption ciphers in order of precedence from high to low.
aes128‐ctr | Specifies the AES in Counter mode, with 128‐bit key cipher as a member of the allowed encryption ciphers list. |
aes192‐ctr | Specifies the AES in Counter mode, with 192‐bit key cipher as a member of the allowed encryption ciphers list. |
aes256‐ctr | Specifies the AES in Counter mode, with 256‐bit cipher as a member of the allowed encryption ciphers list. |
aes128-cbc | Specifies the AES in CBC mode, with 128-bit key cipher as a member of the allowed encryption ciphers list. |
aes192-cbc | Specifies the AES in CBC mode, with 192-bit key cipher as a member of the allowed encryption ciphers list. |
aes256-cbc | Specifies the AES in CBC mode, with 256-bit key cipher as a member of the allowed encryption ciphers list. |
3des-cbc | Specifies the Three-key 3DES in CBC mode cipher as a member of the allowed encryption ciphers list. |
blowfish-cbc | Specifies the Blowfish in CBC mode cipher as a member of the allowed encryption ciphers list. Not supported in FIPS mode. |
cast128-cbc | Specifies the CAST-128 in CBC mode cipher as a member of the allowed encryption ciphers list. Not supported in FIPS mode. |
rijndael-cbc@lysator. liu.se | Specifies the alias for the aes256-cbc cipher as a member of the allowed encryption ciphers list. |
None.
All command modes.
During the handshake between an SSH client and an SSH server, each side sends a proposal of cryptographic Ciphers. This command sets the SSH ciphers applied to all new inbound (SSH server) and outbound (SSH client) SSH sessions. Existing sessions remain unchanged. Ciphers are entered in order of precedence from high to low. Applied SSH Ciphers default to all supported ciphers in the following order of precedence: aes128‐ctr, aes192‐ctr, aes256‐ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, and rijndael-cbc@lysator. liu.se.
When in FIPS mode, only the following FIPS compliant Ciphers are allowed (listed in the default order of precedence from high to low): aes128‐ctr, aes192‐ctr, aes256‐ctr, aes128-cbc, aes192-cbc, aes256-cbc, and 3des-cbc. If non-FIPS Ciphers are configured when booting in FIPS mode, SSH uses the default Cipher list.
This example shows how to limit allowed SSH Ciphers in order of precedence from high to low to aes256-cbc and 3des-cbc:
System(rw)->set ssh ciphers aes256-cbc 3des-cbc System(rw)->