SSH ciphers, key exchange and MACs
/etc/ssh/sshd_config# Subtract what you must; do not replace the list.Ciphers -*-cbcMACs -*-96,hmac-sha1*On a current OpenSSH, doing nothing is also a valid answer. Read on before applying anything here.
Why it matters — and why the usual advice is backwards
Section titled “Why it matters — and why the usual advice is backwards”This is the control most likely to be applied from a copied snippet, and the one where a copied snippet does the most damage.
OpenSSH ships strong defaults and has for years. Weak algorithms are removed from
the defaults as they age out: CBC ciphers, arcfour, and SHA-1 key exchange are
already gone from the default set on any supported version. There is very little
left for a hand-written list to remove.
Meanwhile the defaults keep improving. OpenSSH 10.0 made
mlkem768x25519-sha256 the default key exchange — a hybrid post-quantum
algorithm intended to resist an attacker who records traffic now and decrypts it
after a quantum computer exists. OpenSSH 9.9 introduced it, alongside
sntrup761x25519-sha512 which had already been enabled by default earlier.
Now consider what happens when you paste a KexAlgorithms line from a 2018
hardening post. It lists curve25519-sha256 and friends — all fine algorithms —
and by replacing the default list rather than editing it, it silently
excludes the post-quantum exchange your OpenSSH would otherwise have negotiated.
The config looks hardened. It has, in the only way that matters here, made the
host weaker than leaving it alone.
That’s the real exposure this page closes: not weak defaults, but confident snippets that override good ones.
If you must restrict, subtract — don’t replace
Section titled “If you must restrict, subtract — don’t replace”OpenSSH supports modifying the default list instead of overwriting it:
| Syntax | Meaning |
|---|---|
- |
Remove these from the default list |
+ |
Append these to the end of the default list |
^ |
Move these to the head of the default list |
| (no prefix) | Replace the list entirely — this is the dangerous one |
So Ciphers -*-cbc removes any CBC cipher that might exist while leaving
everything else — including future additions from upgrades — intact. A bare
Ciphers aes256-gcm@openssh.com,... freezes your host at the moment the line
was written.
Ask what a policy actually requires. “No CBC” is a subtraction. “Only these four algorithms” is a replacement, and it needs revisiting at every upgrade.
See what your build actually supports
Section titled “See what your build actually supports”ssh -Q kex # key exchange algorithmsssh -Q cipher # ciphersssh -Q mac # MACsRelated
Section titled “Related”- Choose the right SSH key type — key algorithms, as distinct from transport algorithms.