On Sat, Jan 24, 2026 at 08:14:46AM -0700, Zack Newman wrote: > You can simply define the ciphers used to be a non-empty combination of > [email protected], [email protected], and > [email protected].
If you're going to configure the server to use AE ciphers exclusively, you can also remove all separate MACs from the server configuration: MACs -* ... which might help to avoid: * any future random fiddling with the config file from re-enabling something you weren't intending to use. * unwanted noise from network analysis tools looking at the list of MACs that the server offers. Sshd will happily run with no MACs configured when using AE ciphers. If you mistakenly enable a non-AE cipher with no MACs configured, and a client tries to use that cipher, then the negotiation will fail.
