Discover Every Encryption, MAC, and Key‑Exchange Algorithm Supported by OpenSSH
This guide explains how to use the ssh -Q command to list all OpenSSH-supported ciphers, cipher‑auth methods, key‑exchange algorithms, public‑key types, certificate keys, MACs, protocol versions, and signature algorithms, providing concrete command output and common examples for each category.
1. cipher
Lists the symmetric encryption algorithms that OpenSSH can use to encrypt SSH session data.
ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]aes128-ctr
aes192-ctr
aes256-ctr
2. cipher-auth
Shows ciphers that provide both confidentiality and authentication.
ssh -Q cipher-auth
[email protected]
[email protected]
[email protected]3. kex
Lists the key‑exchange algorithms used during SSH connection establishment.
ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]curve25519-sha256
ecdh-sha2-nistp256
diffie-hellman-group14-sha256
4. kex-gss
Lists GSSAPI‑based key‑exchange algorithms (none are shown in the example output).
ssh -Q kex-gss5. key
Shows the public‑key algorithms that OpenSSH supports for key generation and verification.
ssh -Q key
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]ssh-ed25519
ecdsa-sha2-nistp256
rsa-sha2-256
6. key-cert
Lists certificate‑type public‑key algorithms used for certificate‑based authentication.
ssh -Q key-cert
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]7. key-plain
Shows non‑certificate public‑key types.
ssh -Q key-plain
ssh-ed25519
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]8. mac
Lists the message‑authentication‑code algorithms that ensure data integrity and authenticity.
ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]hmac-sha2-256
hmac-sha2-512
9. protocol-version
Shows the SSH protocol versions supported by the client. ssh -Q protocol-version 2 (SSH‑2)
10. sig
Lists the signature algorithms used for creating and verifying digital signatures.
ssh -Q sig
ssh-ed25519
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]rsa-sha2-256
rsa-sha2-512
ecdsa-sha2-nistp256
ssh-ed25519
Conclusion
By running ssh -Q with the various sub‑options, users can enumerate every encryption, authentication, key‑exchange, and signature algorithm that their OpenSSH installation supports, allowing them to audit and adjust the security configuration as needed.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ops Development & AI Practice
DevSecOps engineer sharing experiences and insights on AI, Web3, and Claude code development. Aims to help solve technical challenges, improve development efficiency, and grow through community interaction. Feel free to comment and discuss.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.