cipher specifications in ssh_config and sshd_config

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm trying to modify the default cipher used without using -c at the
commandline each time.  I am able to get successfull operation using
blowfish encryption by adding the line

Ciphers blowfish-cbc

to /etc/ssh/ssh_config

when I ssh -v to another server I get confirmation that blowfish-cbc
is being used in both directions.

However, the man page for ssh says that you can supply a comma
delimited listing of preferred ciphers in order of preference, which I
try to do by modifying the above line in ssh_config to the following

Cipher blowfish-cbc,3des-cbc

and then when I try to ssh, I get this.

debug1: Reading configuration data /etc/ssh/ssh_config
/etc/ssh/ssh_config line 34: Bad cipher '"blowfish-cbc,3des-cbc"'.

The same thing happens when I remove the -cbc from both cipher names.
I've tried formatting this a whole bunch of different ways.  Adding a
space between the comma and the 2nd cipher, no comma with a space,
wrapping the whole thing in double quotes.  Nothing works.

Is this functionality just broken?  I can't get it to work on my
FreeBSD machien running 3.5p1, nor on a redhat machine running 3.7.1p1

The same error occurs when I try forcing the server to only accept a
certain set of ciphes in order of blowfish,3des.  The daemon wont
start saying there is an error in /etc/ssh/sshd_config.


Re: cipher specifications in ssh_config and sshd_config

Quoted text here. Click to load it
Quoted text here. Click to load it

ssh has two cipher directives, "Cipher" which sets the cipher for SSHv1
(values such as "blowfish" or "3des") and "Ciphers" which specifies a
comma-separated list of candidate ciphers (eg "aes128-cbc,3des-cbc") for

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline