Forcing encryption algorithms on server side

Darren Tucker dtucker at
Sun Sep 17 10:33:56 EST 2006

James Maniotis wrote:
> As the man pages say, you can force an encryption algorithm from the
> server side by use of the "Cipher" command.

On the server side it's "Ciphers".  Be aware that it applies only to 
Protocol 2.

> How would one verify this is working? Thanks.

Run the client in debug mode (eg "ssh -vv yourserver").  Amongst the 
output, you will see something like this:

debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,[...]
debug2: kex_parse_kexinit: 3des-cbc,arcfour
debug2: kex_parse_kexinit: 3des-cbc,arcfour

The lines after the "reserved" one are the key exchange methods, 
signature and ciphers offered by the server.

and a bit further down you will see something like this, which indicates 
  which cipher, MAC and compression were selected:

debug2: mac_init: found hmac-md5
debug1: kex: client->server arcfour hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client arcfour hmac-md5 none

In this example, the server offered the 3des-cbc and arcfour ciphers, 
and the client picked arcfour.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list