SSH Cipher Suite Reference

Recommended and deprecated SSH ciphers, MACs, and key exchange.

Reference of OpenSSH symmetric ciphers, MAC algorithms and key-exchange algorithms with a security status for each, plus a live filter to harden your sshd_config. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Which SSH ciphers should I use in 2026?

Prefer AEAD ciphers: [email protected] and [email protected]. They combine encryption and integrity, are fast with AES-NI, and are the OpenSSH defaults. AES-CTR is acceptable but needs a separate MAC.

Choosing strong SSH algorithms

Every SSH session negotiates three algorithm classes during the handshake: a symmetric cipher for the data stream, a MAC for integrity (unless an AEAD cipher provides it), and a key-exchange (KEX) algorithm to agree the session keys. This reference lists the common OpenSSH options in each class with a security status so you can harden sshd_config and your client config.

Algorithm quick reference

AlgorithmTypeNotes
[email protected]AEADSoftware-fast; preferred when AES-NI is absent
[email protected]AEADHardware-fast on AES-NI CPUs
[email protected]AEADSlightly faster than 256-GCM, still strong

AEAD ciphers combine encryption and authentication in one pass, so a separate MAC is not negotiated.

Deprecated / avoid

AlgorithmReason
aes256-cbc, aes128-cbcCBC padding attacks; Terrapin vulnerability
3des-cbc3DES is effectively broken for large data volumes
arcfour*RC4 is cryptographically broken
AlgorithmNotes
[email protected]Encrypt-then-MAC; preferred
[email protected]Encrypt-then-MAC; slightly faster

The -etm suffix means the HMAC covers the ciphertext, not the plaintext — the cryptographically preferred construction. Avoid hmac-sha1 and hmac-md5 entirely.

AlgorithmNotes
[email protected]Hybrid post-quantum + X25519; default in current OpenSSH
curve25519-sha256X25519 ECDH; fast and strong classically
diffie-hellman-group16-sha512RSA-world fallback; acceptable

Applying the config

SSH negotiation is preference-ordered: the client offers a list, the server picks the first mutually supported entry. Control the offered lists in /etc/ssh/sshd_config:

Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms [email protected],curve25519-sha256

Check what your installed build supports before editing:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

Before you save and reload

  1. Validate the config: sudo sshd -t
  2. Reload in a separate process: sudo systemctl reload sshd (not restart)
  3. Keep your existing session open while testing a new login — if the new config breaks authentication, your open session lets you revert without a console.

Locking yourself out of a remote server by mis-configuring sshd_config is one of the most common self-inflicted SSH disasters. The three-step sequence above prevents it.

Checking negotiated algorithms on an active connection

After hardening, verify what your actual SSH session negotiated:

# On the client, while connected
ssh -v user@host 2>&1 | grep -E '(cipher|MAC|kex)'

# Query algorithms the server supports without connecting
nmap --script ssh2-enum-algos -p 22 host

The -v output shows lines like:

kex: curve25519-sha256
server->client cipher: [email protected] MAC: <implicit>

<implicit> for the MAC means an AEAD cipher was negotiated (chacha20-poly1305 or aes-gcm), which is correct — no separate MAC is needed.

Client-side hardening

The same algorithm directives apply to your SSH client config at ~/.ssh/config:

Host *
  Ciphers [email protected],[email protected]
  MACs [email protected],[email protected]
  KexAlgorithms [email protected],curve25519-sha256
  HostKeyAlgorithms ssh-ed25519,rsa-sha2-512

Client-side hardening is worth doing independently of the server — it protects connections to servers you do not control and prevents your client from silently downgrading to a weaker algorithm when connecting to a legacy host.