OpenSSH default/preferred ciphers, hash, etc for SSH2

  • When using OpenSSH server (sshd) and client (ssh), what are all of the default / program preferred ciphers, hash, etc. (security related) and their default options (such as key length)?

    So, what are the defaults for symmetric key, MAC, key exchange, etc.

    Isn't this covered in the documentation for OpenSSH? "Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are ''3des-cbc'', ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. " (from sshd_config)

    I'm looking for the default (i.e. what gets choosen) for each category of security-related items. not all of the possible choices for each category. See my comment to schroeder's answer below.

    Updated title - requesting info for SSH v2 only.

  • The default algorithms (that is, the algorithms which the client and server prefer to use when given the choice) depend on the client and server implementations, how they were compiled and configured. So it may depend on the software vendor, software version, operating system distribution, and sysadmin choices.

    On an Ubuntu 12.10, man ssh_config indicates that the default order for encryption is:

                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
                aes256-cbc,arcfour
    

    while the default order for MAC (integrity) is:

                hmac-md5,hmac-sha1,[email protected],
                hmac-ripemd160,hmac-sha1-96,hmac-md5-96,
                hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,
                hmac-sha2-512-96
    

    The key exchange algorithm would follow this order of preference:

                ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                diffie-hellman-group-exchange-sha256,
                diffie-hellman-group-exchange-sha1,
                diffie-hellman-group14-sha1,
                diffie-hellman-group1-sha1
    

    Of course, preferences are subject to negotiation. An algorithm will be selected only if both the client and server support it (in particular, ECDH key exchange support is rather recent), and both client and server have their say in it (if they do not have the exact same preferences).

    A survey is theoretically doable: connect to random IP address, and, if a SSH server responds, work out its preferred list of ciphers and MAC (by connecting multiple times, restricting the list of choices announced by the client). OpenSSH makes usage surveys but they are not as thorough (they just want the server "banner").

    I couldn't resist and did a little benchmark of all the known ciphers. But as always: "Lies, Damned Lies and Benchmarks" applies :-)

  • Have you looked at the manual? A quick Ctrl-F for 'default' revealed many of the answers you are looking for:

    • key length: 1024
    • 3DES
    • SSH2
    • ...

    Some of the information is available there, but not all of it. For example, 7 MAC options are listed, but the client chooses. I'm sure that info is in the client man page. I was hoping someone had all that info accessible. And part of this question is to understand what are the different categories of security related options. SSH has multiple sub-protocols. I'm familiar with SSL and while some of the security features in SSH mirror SSL, I don't think they all do. So I'm also trying to avoid reading the entire protocol =)

    I feel like saying: "it is all accessible in the man pages if you do a ctrl-f". It took me a minute to do the search and with that being the case, I would have no reason to cache that data in my memory. Defaults between programs are bound to be different because the sshd has to accept connections from different kinds of clients. If, on the other hand, you want to know which is the most secure configuration, then your question needs to be changed.

    I'm talking about the OpenSSH client and the OpenSSH server. Does that client have different defaults on different flavors of unix-like systems? Aside from MAC hash, symmetric cipher, asymmetric cipher, what else should I be looking for?

    The client and server surely have different options available at compile time.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM