The security team of my organization told us to disable weak encryption due to the weak keys


But i tried looking for these ciphers in ssh_config and sshd_config file but found them commented.

 grep arcfour *
ssh_config:#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

Where can i test ciphers from ssh?

Best Answer

If you have no explicit list of ciphers set in ssh_config using the Ciphers keyword, then the default value, according to man 5 ssh_config (client-side) and man 5 sshd_config (server-side), is.


Note the presence of the arcfour ciphers So you may have to explicitly set a more restrictive value for Ciphers .

ssh -Q cipher from the client will tell you which schemes your client can support. Note that this list is not affected by the list of ciphers specified in ssh_config . Removing a cipher from ssh_config will not remove it from the output of ssh -Q cipher . Furthermore, using ssh with the -c option to explicitly specify a cipher will override the restricted list of ciphers that you set in ssh_config and possibly allow you to use a weak cipher. This is a feature that allows you to use your ssh client to communicate with obsolete SSH servers that do not support the newer stronger ciphers.

nmap --script ssh2-enum-algos -sV -p <port> <host> will tell you which schemes your server supports.