Strange crypto choices

Yegor Ievlev koops1997 at
Fri May 25 23:00:18 AEST 2018

The defaults for HostKeyAlgorithms option are:

ecdsa-sha2-nistp256-cert-v01 at,
ecdsa-sha2-nistp384-cert-v01 at,
ecdsa-sha2-nistp521-cert-v01 at,
ssh-ed25519-cert-v01 at,
ssh-rsa-cert-v01 at,

Why does OpenSSH prefer older and less secure
( ECDSA with NIST curves over Ed25519?
Also why are smaller key, curve and hash sizes preferred over bigger

The default ciphers are:

chacha20-poly1305 at,
aes128-gcm at,aes256-gcm at

Why is CTR mode preferred over GCM? Usually, AEAD ciphers are
preferred over non-AEAD ones.

The default MACs are:

umac-64-etm at,umac-128-etm at,
hmac-sha2-256-etm at,hmac-sha2-512-etm at,
hmac-sha1-etm at,
umac-64 at,umac-128 at,

Why is UMAC preferred over HMAC? UMAC is less widely known and does
not have as much research done on its security as HMAC.

Also, in ssh-rsa-cert-v01 at case the certificate is signed
using SHA-1, allowing the certificate signature to be forged. In
ssh-rsa case the attack is mitigated because the data is hashed with
SHA-256 before being signed. I suggest disabling this method by

More information about the openssh-unix-dev mailing list