Skip to main content
Unix & Linux

Return to Answer

added link to ssh changelog
Source Link
Jeff Schaller
Jeff Schaller
  • 68.8k
  • 35
  • 122
  • 265

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.5, released 2017-03-20since OpenSSH 7.5, released 2017-03-20):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.5, released 2017-03-20):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.5, released 2017-03-20):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

- option added after + option, fixed release version
Source Link
Spacedog
Spacedog
  • 566
  • 4
  • 4

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.05, released 20152017-0803-1120):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.0, released 2015-08-11):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.5, released 2017-03-20):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

since OpenSSH 7.0
Source Link
Spacedog
Spacedog
  • 566
  • 4
  • 4

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.0, released 2015-08-11):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option:

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

The problem with explicitly specifying a cipher list is that you must manually add new ciphers as they come out. Instead, simply list the ciphers you want to remove, prepending the list (not each individual cipher) with a '-' character. So in this case, the Ciphers line should read:

Ciphers -arcfour*

Or if you prefer:

Ciphers -arcfour,arcfour128,arcfour256

From the sshd_config man page on the Ciphers option (since OpenSSH 7.0, released 2015-08-11):

If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them. If the specified value begins with a ‘-’ character, then the specified ciphers (including wildcards) will be removed from the default set instead of replacing them.

This also applies to the KexAlgorithms and MACs options.

prepend entire list, not each cipher
Source Link
Spacedog
Spacedog
  • 566
  • 4
  • 4
Source Link
Spacedog
Spacedog
  • 566
  • 4
  • 4