SRĀ OS supports cipher client and server lists. The user can add or remove the needed SSH cipher client/server algorithms to be negotiated. The list is an index list with the lower index having higher preference in the SSH negotiation. The lowest index algorithm in the list will be negotiated first in SSH and will be on top of the negotiation list to the peer.
There is separate cipher list for SSHv1 and SSHv2 for both client and server.
The default client cipher list for SSHv1 includes all supported algorithms with the following preference:
cipher 200 name 3des
cipher 205 name blowfish
cipher 210 name des
The default Server cipher list for SSHv1 includes algorithms in the following preference order:
cipher 200 name 3des
cipher 205 name blowfish
The default server and client lists for SSHv2 include all supported algorithms with the following preference:
cipher 190 name aes256-ctr
cipher 192 name aes192-ctr
cipher 194 name aes128-ctr
cipher 200 name aes128-cbc
cipher 205 name 3des-cbc
cipher 210 name blowfish-cbc
cipher 215 name cast128-cbc
cipher 220 name arcfour
cipher 225 name aes192-cbc
cipher 230 name aes256-cbc
cipher 235 name rijndael-cbc
The CLI used to configure client/server cipher list is as follows:
configure system security ssh server-cipher-list
server-cipher-list protocol-version <version>
<version> : [1..2]
configure system security ssh server-cipher-list protocol-version 2 ciper
no cipher <index>
cipher <index> name <cipher-name>
<index> : [1..255]
<cipher-name> : aes128-ctr | aes192-ctr | aes256-ctr | 3des-cbc| blowfish-cbc|
cast128-cbc | arcfour | aes128-cbc | aes192-cbc | aes256-cbc | rijndael-cbc