Which SSH ciphers should I use in 2026?

Prefer AEAD ciphers: chacha20-poly1305@openssh.com and aes256-gcm@openssh.com. They combine encryption and integrity, are fast with AES-NI, and are the OpenSSH defaults. AES-CTR is acceptable but needs a separate MAC.

What does encrypt-then-MAC mean?

Encrypt-then-MAC (the -etm suffix) computes the authentication tag over the ciphertext rather than the plaintext. It is the cryptographically preferred construction and resists several padding and integrity attacks, so prefer hmac-sha2-256-etm over the plain variant.

Why are CBC ciphers deprecated?

CBC-mode SSH ciphers are vulnerable to plaintext-recovery and Terrapin-class attacks because of how SSH frames packets. OpenSSH disables aes256-cbc and 3des-cbc by default. Use AEAD or CTR ciphers instead.

What is sntrup761x25519?

It is a hybrid post-quantum key exchange combining the NTRU Prime KEM with X25519. It protects session keys against future quantum attacks while staying secure against classical ones, and is the default key exchange in current OpenSSH.

Does this tool connect to my server?

No. It is a static offline reference and filter that runs entirely in your browser. Nothing is sent to any server.

SSH Cipher Suite Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Choosing strong SSH algorithms

Every SSH session negotiates three algorithm classes during the handshake: a symmetric cipher for the data stream, a MAC for integrity (unless an AEAD cipher provides it), and a key-exchange (KEX) algorithm to agree the session keys. This reference lists the common OpenSSH options in each class with a security status so you can harden sshd_config and your client config.

How it works

SSH negotiation is preference-ordered: the client offers a list, the server picks the first mutually supported entry. You control the offered lists with three directives:

Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms [email protected],curve25519-sha256

AEAD ciphers such as [email protected] and the aes*-gcm suites authenticate and encrypt in one pass, so a separate MAC is not used. For CTR ciphers, pair them with an encrypt-then-MAC (-etm) HMAC. Run ssh -Q cipher, ssh -Q mac and ssh -Q kex to see what your local build supports.

Tips and notes

Lead each list with the strongest algorithm — negotiation picks the first match.
Avoid SHA-1 and MD5 MACs and any CBC or 3DES cipher; they are broken or weak.
The -etm (encrypt-then-MAC) HMACs are preferred over their plain counterparts.
After editing, validate with sshd -t and reload before closing your session.