Setting SSH Ciphers

Select from a list of available ciphers, to configure a desired subset, among which your appliance and clients can negotiate SSH session encryption. This ability is added with Luna Appliance Software 7.8.3.

The command sysconf ssh ciphers show displays the list of available ciphers (see below).

Modify the configured list

>with sysconf ssh ciphers set, which allows you to present a list for setting or removing from the configured list, or

>with sysconf ssh ciphers reset, which sets the configured list back to just the default ciphers (see below).

Available Ciphers

Using Luna Appliance Software 7.8.3 or newer, the following SSH ciphers are available:

>3des-cbc

>blowfish-cbc

>cast128-cbc

>arcfour

>arcfour128

>arcfour256

>aes128-cbc

>aes192-cbc

>aes256-cbc

>rijndael-cbc@lysator.liu.se

>aes128-ctr

>aes192-ctr

>aes256-ctr

>aes128-gcm@openssh.com

>aes256-gcm@openssh.com

>chacha20-poly1305@openssh.com

This is an example, and is likely to change over time, as some ciphers age out of acceptability, due to their relative security being overtaken by newer technology and discovered threats. You can pick from that available-ciphers list to populate the configured ciphers list that is negotiable with a connecting system.

Default configured ciphers, from that list, are:

>aes192-ctr

>aes256-ctr

Cipher names are case sensitive.

 

 

Available MAC Algorithms

Using Luna Appliance Software 7.8.3 or newer, the following MAC algorithms can also be specified to encrypt SSH traffic:

NOTE   The MAC algorithms do not appear in the output for sysconf ssh ciphers show.

>hmac-sha2-256-etm

>hmac-sha2-512-etm

>hmac-sha2-256

>hmac-sha2-512

Configuring SSH Ciphers

At least one cipher must be configured. You may not remove all configured ciphers, leaving an empty configured list. You can remove the default configured ciphers by using the sysconf ssh ciphers set command.

> The sysconf ssh ciphers set command always takes a -list, containing at least one member. If you issue the command with a list that contains just one member, without also employing the -add or the -remove option, then you are replacing the entire current configured ciphers list with a list containing only one member.

>Attempting to use sysconf ssh ciphers set command with the -remove option, while specifying a -list that includes all currently configured ciphers yields "Error: Cannot remove all currently configured SSH ciphers."

>Cipher configuration using the -add option appends the cipher names that you supply with the -list option, to the bottom of the current configured ciphers list.

>Cipher configuration using the -remove option removes the cipher names that you supply with the -list option, from the current configured ciphers list.

>Cipher configuration without the -add or -remove options simply replaces the current configured list with the ciphers included in the command after -list, in the order that you specify them.

A reimage operation on the appliance wipes all cipher configuration and sets the configured list back to the default ciphers, only. If reimage returns the appliance to a software version that did not include the sysconf ssh ciphers commands, then you cannot see or modify the available ciphers. The assumption is that, if you are reimaging away from a version that has the sysconf ssh ciphers commands, to one that does not, then either

>you are implicitly accepting the ciphers that were available/in-use at the time the reimage target appliance software was released, or

>you reimaged as a brief but necessary step on the way to updating your appliance to a desired version.

SSH cipher configuration survives appliance software update, and is unaffected by firmware changes (update, rollback).

The cipher names in the "available" list are the only valid ones to include in the -list for appending-to, replacing, or removing-from the configured list; no option is provided for inserting additional ciphers into the "available" list.

The colon ":" is the only character permitted as a separator in a -list of ciphers.

If you specify to -add a cipher that is already present in the configured cipher list, the command just silently skips that cipher and continues to the next cipher in the -list.

Adding a cipher to the configured ciphers list

1.Check the current list of SSH ciphers (available and configured).

sysconf ssh ciphers show

2.Add a cipher from the available list to the configured list.

sysconf ssh ciphers set -list <name of a cipher from the available list> -add

3. Verify that the list of SSH ciphers now includes the desired cipher.

sysconf ssh ciphers show

Removing a cipher from the configured ciphers list

1.Check the current list of SSH ciphers (available and configured).

sysconf ssh ciphers show

2.Remove a cipher from the configured list.

sysconf ssh ciphers set -list <name of a cipher from the configured list> -remove

3. Verify that the list of configured SSH ciphers no longer includes the removed cipher.

sysconf ssh ciphers show

Resetting the configured ciphers list

1.Check the current list of SSH ciphers (available and configured).

sysconf ssh ciphers show

2.Reset the configured cipher list.

sysconf ssh ciphers reset

3. Verify that the list of configured SSH ciphers now includes only the default ciphers.

sysconf ssh ciphers show

For SSH cipher lists prior to Luna Network HSM 7 versions prior to 7.8.0

The lists of ciphers, that we can use within our HSMs and for communication externally, changes over the years - new ciphers are added, older ones age out for security and other reasons. Appliance software 7.8.0 introduced the command sysconf ssh ciphers show.

In general, we recommend keeping your HSM and its appliance up-to-date due to the advances in cyber threats and our ongoing security improvements, even if you do not need the newer features. But, if your situation does not permit, and if you are keeping your Luna Network HSM 7 appliance at an earlier version, then finding the ciphers available for SSH requires that you run widely available client tools like nmap against port 22 to list the ciphers on pre-7.8.0 appliances.

Below is an example for your reference.

How to enumerate ssh cipher lists available to your network appliance if "ciphers show" command is not available in your version

1.Run nmap against port 22 on the IP address for the Luna Network HSM of interest, specifying options as follows:

Windows example for Luna Appliance Software Version 7.7.1 and earlier

Luna Network HSM Command Line Shell v7.7.1-188. Copyright (c) 2021 SafeNet. All rights reserved.


C:\Users\someuser\Downloads\repo>nmap --script ssh2-enum-algos -sV -p 22 192.168.143.156
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-26 00:09 -0400
Nmap scan report for 192.168.143.156
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (9)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (2)
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (8)
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds

C:\Users\someuser\Downloads\repo>

 

Linux example for older appliance software 

Luna Network HSM Command Line Shell v7.4.0-226. Copyright (c) 2018 SafeNet. All rights reserved.
 
[root@aa5215 ~]# nmap --script ssh2-enum-algos -sV -p 22 192.168.143.156
Starting Nmap 7.92 ( https://nmap.org ) at 2025-07-27 11:43 EDT
Nmap scan report for 192.168.143.156
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (10)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (4)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|   encryption_algorithms: (2)
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (3)
|       hmac-sha1
|       hmac-sha2-256
|       hmac-sha2-512
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds
[root@aa5215 ~]#

 

The table below compiles ssh ciphers as used/available for Luna Network HSM 7 appliances prior to version 7.8.0 when the ability to show and set ciphers was added.

SSH algorithms Appliance software 7.2.0 Appliance software 7.3.0 Appliance software 7.4.0 Appliance software 7.7.0 Appliance software 7.7.1
kex

curve25519-sha256@libssh.org

 

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

 

ecdh-sha2-nistp521

 

diffie-hellman-group-exchange-sha256

 

diffie-hellman-group16-sha512

 

diffie-hellman-group18-sha512

 

diffie-hellman-group14-sha256

 

diffie-hellman-group14-sha1

curve25519-sha256

 

curve25519-sha256@libssh.org

 

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

 

ecdh-sha2-nistp521

 

diffie-hellman-group-exchange-sha256

 

diffie-hellman-group16-sha512

 

diffie-hellman-group18-sha512

 

diffie-hellman-group14-sha256

 

diffie-hellman-group14-sha1

curve25519-sha256

 

curve25519-sha256@libssh.org

 

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

ecdh-sha2-nistp521

 

diffie-hellman-group-exchange-sha256

 

diffie-hellman-group16-sha512

 

diffie-hellman-group18-sha512

 

diffie-hellman-group14-sha256

 

diffie-hellman-group14-sha1

curve25519-sha256

 

curve25519-sha256@libssh.org

 

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

ecdh-sha2-nistp521

 

diffie-hellman-group-exchange-sha256

 

diffie-hellman-group16-sha512

 

diffie-hellman-group18-sha512

 

diffie-hellman-group14-sha256

 

diffie-hellman-group14-sha1

curve25519-sha256

 

curve25519-sha256@libssh.org

 

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

ecdh-sha2-nistp521

 

diffie-hellman-group-exchange-sha256

 

diffie-hellman-group16-sha512

 

diffie-hellman-group18-sha512

 

diffie-hellman-group14-sha256
server_host_key

ssh-rsa

rsa-sha2-512

rsa-sha2-256

ecdsa-sha2-nistp256

ssh-rsa

rsa-sha2-512

rsa-sha2-256

ecdsa-sha2-nistp256

ssh-rsa

rsa-sha2-512

rsa-sha2-256

ecdsa-sha2-nistp256

ssh-rsa

rsa-sha2-512

rsa-sha2-256

ecdsa-sha2-nistp256

ssh-ed25519

ssh-rsa

rsa-sha2-512

rsa-sha2-256

ecdsa-sha2-nistp256

ssh-ed25519
encryption

aes192-ctr

aes256-ctr

aes192-ctr

aes256-ctr

aes192-ctr

aes256-ctr

aes192-ctr

aes256-ctr

aes192-ctr

aes256-ctr
mac

hmac-sha1

hmac-sha2-256

hmac-sha2-512

hmac-sha1

hmac-sha2-256

hmac-sha2-512

hmac-sha1

hmac-sha2-256

hmac-sha2-512

hmac-sha1

hmac-sha2-256

hmac-sha2-512

umac-64-etm@openssh.com

 

umac-128-etm@openssh.com

 

hmac-sha2-256-etm@openssh.com

 

hmac-sha2-512-etm@openssh.com

 

umac-64@openssh.com

 

umac-128@openssh.com

 

hmac-sha2-256

 

hmac-sha2-512

compression

none

zlib@openssh.com

none

zlib@openssh.com

none

zlib@openssh.com

none

zlib@openssh.com

none

zlib@openssh.com