How to Check SSH Algorithms in Linux

The Secure Shell (SSH) protocol is the bedrock of secure remote administration on Linux systems.

Its security, however, is not static; it relies on a suite of cryptographic algorithms for key exchange, encryption, and data integrity.

Over time, some algorithms become weak and are deprecated.

Therefore, knowing how to check which algorithms your SSH client and server support is a critical skill for security audits, hardening, and ensuring interoperability.

This article provides a complete guide on how to inspect the SSH algorithms supported and enabled on your Linux syste.

Understanding the Algorithm Categories

SSH uses a combination of different algorithm types to establish a secure channel. When you check your configuration, you will encounter the following categories:

  • Key Exchange Algorithms (KexAlgorithms): These are used to securely agree upon a shared secret key at the beginning of an SSH session. Examples include diffie-hellman-group-exchange-sha256 and modern elliptic curve variants like curve25519-sha256.
  • Host Key Algorithms (HostKeyAlgorithms): These determine the type of key the server uses to prove its identity to the client, preventing man-in-the-middle attacks. Common types are ssh-ed25519, rsa-sha2-512, and ecdsa-sha2-nistp256.
  • Ciphers (Ciphers): These are the symmetric encryption algorithms used to encrypt the actual data flowing through the SSH connection after the secure channel is established. Examples include [email protected] and [email protected].
  • Message Authentication Codes (MACs): These are used to ensure the integrity of the data being transmitted, protecting it from tampering. Examples include [email protected].

Method 1: Checking Your Local SSH Client’s Supported Algorithms

The easiest way to see what your local SSH client supports is to use the ssh command itself with the -Q option. This queries the client for its supported algorithms in a specific category.

1. To check supported Ciphers:

ssh -Q cipher

Example Output:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]

2. To check supported MACs:

See also: Mastering the Linux Command Line — Your Complete Free Training Guide 

ssh -Q mac

Example Output:

hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

3. To check supported Key Exchange (Kex) algorithms:

ssh -Q kex

Example Output:

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]

4. To check supported Host Key algorithms:

ssh -Q key

Example Output:

ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Method 2: Querying a Remote SSH Server’s Supported Algorithms

Often, you need to know what a remote server supports. You can do this without fully authenticating by using verbose connection options or dedicated tools.

1. Using ssh in Verbose Mode

The simplest method is to attempt a connection to the server with a high level of verbosity (-vv). During the initial handshake, the client and server will negotiate which algorithms to use, and this debug output will show the lists offered by both sides.

ssh -vv server.example.com

You will need to press Ctrl+C to cancel the connection after the handshake information is displayed. Scour the output for lines related to the algorithm negotiation.

Example Output Snippet:

...
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
...

This shows the chosen algorithms for the connection. To see the offered algorithms, look for lines like debug2: KEX algorithms offered.

2. Using nmap

The network scanner nmap has a specific script, ssh2-enum-algos, designed for this exact purpose. This is often the cleanest and most direct way to query a remote server.

nmap --script ssh2-enum-algos -p 22 server.example.com

Example Output:

Starting Nmap 7.92 ( <https://nmap.org> ) at 2025-08-11 05:00 UTC
Nmap scan report for server.example.com (192.0.2.1)
Host is up (0.0012s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms: (10)
|       curve25519-sha256
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group16-sha512
|       diffie-hellman-group18-sha512
|       diffie-hellman-group14-sha256
|       [email protected]
|   server_host_key_algorithms: (5)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|       ecdsa-sha2-nistp256
|       ssh-ed25519
|   encryption_algorithms: (6)
|       [email protected]
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       [email protected]
|       [email protected]
|   mac_algorithms: (6)
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|       [email protected]
|   compression_algorithms: (2)
|       none
|       [email protected]
|_  COMPRESSION_ALGORITHMS_SERVER_TO_CLIENT

Method 3: Checking the SSH Server’s Configuration

If you have administrative access to the SSH server, you can check its configuration directly.

1. Using the sshd Daemon

Similar to the ssh client, the server daemon sshd can be run in test mode (-T) to print the effective configuration, including the default algorithm lists.

sudo sshd -T

This command outputs the entire server configuration. You can use grep to filter for the specific algorithm settings.

# Check enabled Ciphers
sudo sshd -T | grep ciphers

# Check enabled MACs
sudo sshd -T | grep macs

# Check enabled Key Exchange algorithms
sudo sshd -T | grep kexalgorithms

# Check enabled Host Key algorithms
sudo sshd -T | grep hostkeyalgorithms

2. Inspecting the Configuration File

The main configuration file for the OpenSSH server is /etc/ssh/sshd_config. You can view this file to see if any algorithms have been explicitly set. If an algorithm category (e.g., Ciphers) is not present in this file, the server is using its compiled-in defaults.

grep -E '^(Ciphers|MACs|KexAlgorithms|HostKeyAlgorithms)' /etc/ssh/sshd_config

If this command returns any lines, it means the defaults have been overridden. This is common practice on hardened systems to disable weaker algorithms. For example:

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected],[email protected]

By mastering these commands, you gain full visibility into the cryptographic foundation of your SSH connections, empowering you to maintain a secure and compliant environment.

David Cao
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 548

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *