Skip to content

SSH ciphers, key exchange and MACs

Severity: lowApplies to: OpenSSH 8.x+Applies to: OpenSSH 10.x
The fix/etc/ssh/sshd_config
Terminal window
# Subtract what you must; do not replace the list.
Ciphers -*-cbc
MACs -*-96,hmac-sha1*

On a current OpenSSH, doing nothing is also a valid answer. Read on before applying anything here.

Why it matters — and why the usual advice is backwards

Section titled “Why it matters — and why the usual advice is backwards”

This is the control most likely to be applied from a copied snippet, and the one where a copied snippet does the most damage.

OpenSSH ships strong defaults and has for years. Weak algorithms are removed from the defaults as they age out: CBC ciphers, arcfour, and SHA-1 key exchange are already gone from the default set on any supported version. There is very little left for a hand-written list to remove.

Meanwhile the defaults keep improving. OpenSSH 10.0 made mlkem768x25519-sha256 the default key exchange — a hybrid post-quantum algorithm intended to resist an attacker who records traffic now and decrypts it after a quantum computer exists. OpenSSH 9.9 introduced it, alongside sntrup761x25519-sha512 which had already been enabled by default earlier.

Now consider what happens when you paste a KexAlgorithms line from a 2018 hardening post. It lists curve25519-sha256 and friends — all fine algorithms — and by replacing the default list rather than editing it, it silently excludes the post-quantum exchange your OpenSSH would otherwise have negotiated. The config looks hardened. It has, in the only way that matters here, made the host weaker than leaving it alone.

That’s the real exposure this page closes: not weak defaults, but confident snippets that override good ones.

If you must restrict, subtract — don’t replace

Section titled “If you must restrict, subtract — don’t replace”

OpenSSH supports modifying the default list instead of overwriting it:

Syntax Meaning
- Remove these from the default list
+ Append these to the end of the default list
^ Move these to the head of the default list
(no prefix) Replace the list entirely — this is the dangerous one

So Ciphers -*-cbc removes any CBC cipher that might exist while leaving everything else — including future additions from upgrades — intact. A bare Ciphers aes256-gcm@openssh.com,... freezes your host at the moment the line was written.

Ask what a policy actually requires. “No CBC” is a subtraction. “Only these four algorithms” is a replacement, and it needs revisiting at every upgrade.

Terminal window
ssh -Q kex # key exchange algorithms
ssh -Q cipher # ciphers
ssh -Q mac # MACs