What ciphers are supported by the PAM SSH applet

Document ID : KB000107594
Last Modified Date : 23/07/2018
Show Technical Document Details
Question:
What ssh ciphers does the PAM SSH access method support?
Answer:
After taking a trace between PAM 3.2 and the ssh target the following information can be seen in PAM's response to the Key Exchange Init packet sent by the ssh target server:
kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
server_host_key_algorithms string: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss,ssh-rsa
encryption_algorithms_client_to_server string: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,aes192-cbc,aes256-cbc,3des-ctr,3des-cbc,arcfour,rijndael-cbc@lysator.liu.se
encryption_algorithms_server_to_client string: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,aes192-cbc,aes256-cbc,3des-ctr,3des-cbc,arcfour,rijndael-cbc@lysator.liu.se
mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha256-2@ssh.com,hmac-sha256@ssh.com,hmac-sha512@ssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha256-2@ssh.com,hmac-sha256@ssh.com,hmac-sha512@ssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96

These are the ciphers supported by PAM 3.2.  Older versions of PAM, specifically those older than 3.x, will show different information.  Attention must be paid to this information, as removing a cipher from the target server may make it impossible for PAM to connect to that server.  In addition, some ciphers that work with TLS 1.0 and TLS 1.1 will not work with TLS 1.2.  You can configure PAM to disable the use of TLS 1.0 and TLS 1.1, which will be necessary if the server does not have TLS 1.0 and TLS 1.1 enabled.