Setting a Cipher in .ssh/config (Client-Side)

To specify a cipher for an SSH connection in the client configuration file(~/.ssh/config), use the Ciphers directive.

Example: Setting a Preferred Cipher for a Specific Host:
Host remote-server
    Ciphers aes256-gcm@openssh.com,aes256-ctr

• This sets AES-256-GCM and aes256-ctr as preferred encryption algorithms for all servers with a wildcard.

To enforce a specific ciphers for all SSH connections, use:
Host *
    Ciphers aes256-gcm@openssh.com,aes256-ctr

To check which cipher is being used for an SSH connection, run:

ssh -vv user@remote-server | grep "cipher"

debug1: kex: algorithm: curve25519-sha256
debug1: cipher: aes256-gcm@openssh.com

• This shows the negotiated cipher and key exchange algorithm.
• Both the client and the server advertise their supported ciphers and cipher-mode combinations, such as aes256-gcm@openssh.com or aes256-ctr.
• The final algorithm chosen is the first algorithm that appears in the client’s preferred list and is also supported by the server.
• The client controls the order, or priority, of its cipher list.
• The server controls what is allowed by its permitted algorithm set.
• If the server has stronger restrictions, such as Ciphers aes256-ctr, it will reject any cipher outside that set, regardless of the client’s preference.