[crispyambulance]

OK, I am not embarrassed to ask...

If I see some "weak" or "insecure" tags, what can I do about it? I have no idea how to disable MAC, key-exchange, and encryption algorithms used by the server I control. I had thought that just using SSH was "enough"

More importantly, if I do disable the insecure stuff, what will it break ?

[bimmer44]

This article is very detailed and includes examples of setting sshd to only use more secure options: https://stribika.github.io/2015/01/04/secure-secure-shell.ht...

There was also a lot of HN discussion about it: https://news.ycombinator.com/item?id=8843994

[problems]

> If I see some "weak" or "insecure" tags, what can I do about it? I have no idea how to disable MAC, key-exchange, and encryption algorithms used by the server I control. I had thought that just using SSH was "enough"

For the most part it is, many of the things they're labeling as "weak" is not stuff that's likely to get you exploited today, but stuff that might at some point in the future - attacks only get better. Not necessarily things that are completely broken, just weak by today's standards.

> More importantly, if I do disable the insecure stuff, what will it break ?

Older clients mostly. Many phone apps for example don't have recent SSH implementations that support newer cryptography.