disallow specific ssh ciphers and/or MACS (white list approach)

kundai tinarwo

New Member
May 25, 2017
Reaction score
Hi people, I have a report detailing weak ssh ciphers on a system. How can I dis-allow these specific weak ciphers. The common solution which I am aware of is adding the following lines in sshd_config (which is a black list approach):

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160

The solution I am looking for is a config which in theory allows all ciphers and MACs except the weak ones (white list approach) as opposed to explicitly defining which ciphers to be allowed.

I like the answer you got on stackexchange.. list the allowed ones in the sshd_config (white list) and you have the option of disallowing (blacklist) by putting - in front of them:

It depends on what OpenSSH version are you using. In versions below 7.5, you have no other option than you already said -- list all the white-listed algorithms.

Since OpenSSH 7.5 you can use - modifier, which will blacklist "bad" algorithms from the default set, such as

Ciphers -arcfour
MACs -hmac-md5
(from https://security.stackexchange.com/...c-ssh-ciphers-and-or-macs-white-list-approach)

Members online