Cipher Order in sshd_config

Damien Miller djm at
Tue Aug 26 09:12:06 EST 2014

On Mon, 25 Aug 2014, Ron Frederick wrote:

> I noticed some time ago that OpenSSH still prefers aes128 over aes192/aes256
> ciphers in multiple cases (CTR, GCM, and CBC). Is this due to concerns about
> CPU usage? These days, I would think we?d want to have clients prefer AES256.

It's a tradeoff for performance/security. I don't think attacks on AES128
are particularly feasible.

> It also still prefers MD5 over everything else for hashing, and SHA1 over
> SHA2. While it still makes sense to support MD5 for backward compatibility
> (and indeed the SSH RFC requires it), I?m not sure it still makes sense to
> prefer either it or SHA1 at this point.

For OpenSSH 6.7, the default MAC ordering does indeed demote HMAC-MD5.
That being said, there are no practical attacks on HMAC-MD5 that I know
of. HMAC is pretty forgiving of problems with the underlying hash.


More information about the openssh-unix-dev mailing list