Configure Strong Ciphers for SSH | Debian Linux

By | 2016/10/15

OpenSSH server has fairly weak ciphers by default on Debian Linux. Here is an example of how to tighten security specifying stronger ciphers!

1. For Debian jessie or later (OpenSSH 6.7+), edit the file /etc/ssh/sshd_config

In this file, comment out weak vulnerable ssh host keys, leaving only the strongest enabled.

Also specify the strongest algorithms, ciphers, and MACs.

Note: If one requires older ssh clients to connect, optionally leave ssh_host_rsa_key enabled as well.

Protocol 2
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key


2. On Debian, one can optionally disable broadcasting the Debian banner as well if desired

DebianBanner no

3. Restart ssh

sudo service ssh restart



Audit your ssh server security with this nifty app:

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.