The defaults for HostKeyAlgorithms option are: ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx, ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx, ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx, ssh-ed25519-cert-v01@xxxxxxxxxxx, ssh-rsa-cert-v01@xxxxxxxxxxx, ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-ed25519,ssh-rsa Why does OpenSSH prefer older and less secure (https://safecurves.cr.yp.to/) ECDSA with NIST curves over Ed25519? Also why are smaller key, curve and hash sizes preferred over bigger ones? The default ciphers are: chacha20-poly1305@xxxxxxxxxxx, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx Why is CTR mode preferred over GCM? Usually, AEAD ciphers are preferred over non-AEAD ones. The default MACs are: umac-64-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx, hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx, hmac-sha1-etm@xxxxxxxxxxx, umac-64@xxxxxxxxxxx,umac-128@xxxxxxxxxxx, hmac-sha2-256,hmac-sha2-512,hmac-sha1 Why is UMAC preferred over HMAC? UMAC is less widely known and does not have as much research done on its security as HMAC. Also, in ssh-rsa-cert-v01@xxxxxxxxxxx case the certificate is signed using SHA-1, allowing the certificate signature to be forged. In ssh-rsa case the attack is mitigated because the data is hashed with SHA-256 before being signed. I suggest disabling this method by default. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev