23

When using OpenSSH server (sshd) and client (ssh), what are all of the default / program preferred ciphers, hash, etc. (security related) and their default options (such as key length)?

So, what are the defaults for symmetric key, MAC, key exchange, etc.

Suraj
  • 332
  • 1
  • 2
  • 9
  • 1
    Isn't this covered in the documentation for OpenSSH? "Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are ''3des-cbc'', ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. " (from sshd_config) – MCW Dec 19 '12 at 20:49
  • 1
    I'm looking for the default (i.e. what gets choosen) for each category of security-related items. not all of the possible choices for each category. See my comment to schroeder's answer below. – Suraj Dec 19 '12 at 20:54
  • 1
    Updated title - requesting info for SSH v2 only. – Suraj Dec 19 '12 at 21:06

3 Answers3

19

The default algorithms (that is, the algorithms which the client and server prefer to use when given the choice) depend on the client and server implementations, how they were compiled and configured. So it may depend on the software vendor, software version, operating system distribution, and sysadmin choices.

On an Ubuntu 12.10, man ssh_config indicates that the default order for encryption is:

            aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
            aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
            aes256-cbc,arcfour

while the default order for MAC (integrity) is:

            hmac-md5,hmac-sha1,umac-64@openssh.com,
            hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
            hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,
            hmac-sha2-512-96

The key exchange algorithm would follow this order of preference:

            ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
            diffie-hellman-group-exchange-sha256,
            diffie-hellman-group-exchange-sha1,
            diffie-hellman-group14-sha1,
            diffie-hellman-group1-sha1

Of course, preferences are subject to negotiation. An algorithm will be selected only if both the client and server support it (in particular, ECDH key exchange support is rather recent), and both client and server have their say in it (if they do not have the exact same preferences).

A survey is theoretically doable: connect to random IP address, and, if a SSH server responds, work out its preferred list of ciphers and MAC (by connecting multiple times, restricting the list of choices announced by the client). OpenSSH makes usage surveys but they are not as thorough (they just want the server "banner").

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I couldn't resist and did a little [benchmark](http://nerdbynature.de/s9y/2014/08/17/On-SSH-ciphers,-MACs-and-key-exchange-algorithms#update2 "On SSH ciphers, MACs and key exchange algorithms") of all the known ciphers. But as always: "Lies, Damned Lies and Benchmarks" applies :-) – ckujau Jun 24 '16 at 00:49
  • ssh -Q setting allows displaying the possible values you can set 'setting' to. On Debian 10 the man page has fewer possible 'cipher' settings than ssh -Q shows. – cardiff space man Nov 23 '21 at 20:26
2

Have you looked at the manual? A quick Ctrl-F for 'default' revealed many of the answers you are looking for:

  • key length: 1024
  • 3DES
  • SSH2
  • ...
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Some of the information is available there, but not all of it. For example, 7 MAC options are listed, but the client chooses. I'm sure that info is in the client man page. I was hoping someone had all that info accessible. And part of this question is to understand what are the different categories of security related options. SSH has multiple sub-protocols. I'm familiar with SSL and while some of the security features in SSH mirror SSL, I don't think they all do. So I'm also trying to avoid reading the entire protocol =) – Suraj Dec 19 '12 at 20:47
  • I feel like saying: "it is all accessible in the man pages if you do a ctrl-f". It took me a minute to do the search and with that being the case, I would have no reason to cache that data in my memory. Defaults between programs are bound to be different because the sshd has to accept connections from different kinds of clients. If, on the other hand, you want to know which is the most secure configuration, then your question needs to be changed. – schroeder Dec 19 '12 at 21:48
  • I'm talking about the OpenSSH client and the OpenSSH server. Does that client have different defaults on different flavors of unix-like systems? Aside from MAC hash, symmetric cipher, asymmetric cipher, what else should I be looking for? – Suraj Dec 19 '12 at 22:03
  • The client and server surely have different options available at compile time. – Dan Pritts Aug 07 '14 at 15:54
0

2022's answer:

By default, ssh uses 'chacha20-poly1305' cipher.

$ man ssh_config
[...]
             The supported ciphers are:

                   3des-cbc
                   aes128-cbc
                   aes192-cbc
                   aes256-cbc
                   aes128-ctr
                   aes192-ctr
                   aes256-ctr
                   aes128-gcm@openssh.com
                   aes256-gcm@openssh.com
                   chacha20-poly1305@openssh.com

             The default is:

                   chacha20-poly1305@openssh.com,
                   aes128-ctr,aes192-ctr,aes256-ctr,
                   aes128-gcm@openssh.com,aes256-gcm@openssh.com
Smile.Hunter
  • 539
  • 1
  • 4
  • 9