If we remove all the ssh ciphers from sshd_config file , will it allow to establish ssh connection by all the available ciphers of the current system ? Or there is a specific set which it will allow ? If there is a specific set , how and what is that default set of ssh ciphers. If it starts allowing all the available ssh ciphers then can I assume the list to be same as the output of "ssh -Q cipher" ?
2 Answers
No.
- If you do not specify the
Ciphersin yoursshd_config, the client will use a default list of allowed ciphers. It is explained in the manual page. In Ubnutu 16.04
The default is:
, aes128-ctr,aes192-ctr,aes256-ctr, ,
- If you specify some set, for example
Ciphers aes128-ctr, only this cipher will be used for connections.
The list produced by ssh -Q cipher will show the list of all supported ciphers, but not all of them are enabled, because some of them exists only for legacy reasons.
Yes, if no Ciphers are specified in sshd_config to limit the ciphers that may be used, then sshd will use all supported, non-deprecated ciphers.
In normal package distributions (you have not modified and built the openssh package yourself), the ciphers supported by ssh and sshd will be identical, so ssh -Q cipher will list the supported sshd ciphers (which should be identical as a set to those listed in man sshd_config).
Note that ssh -Q queries what the client supports; it will not list the ciphers supported by some remote machine's sshd. It also will not identify which of those ciphers are deprecated and therefore not used by default by the local sshd. The default list for a given installation will be found in the Ciphers section of man 5 sshd_config; for Ubuntu 16.04:
,
aes128-ctr,aes192-ctr,aes256-ctr,
,