To get a list of all supported algorithms, I can run ssh -Q kex
, which on my machine outputs
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]
I also know I can add a line into my sshd_config and ssh_config files like KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
if I want to whitelist certain algorithms.
However, I don't think I will stay on top of keeping this list up to date. If my version of ssh is updated to include better ciphers, I want to be able to take advantage of those automatically (which is what would happen if I don't modify my configuration file). By trying to eliminate algorithms I do not want to use (for instance, diffie-hellman-group1-sha1
), I have also locked myself in to not using anything better than the best currently supported algorithm.
Is there a way to configure ssh and sshd to say "Do not consider these algorithms" without also saying "And also don't consider anything except these other algorithms"?
I would accept answers specific to openssh and Linux, and you can assume I am using very new versions of relevant software.