Do we need ssh rc4 cipher enabled?

The Information Security and Risk Management department is complaining that our production server has Support for SSH Weak Algorithms due to the presence of the broken RC4.

What are the consequences if I remove this support? Does trellis rely on it’s presence?
Thank You in advance

Trellis specifically excludes RC4 so I’m not sure where they are seeing it?


1 Like

Thank you for your reply, I’ve got it in this part of the report:

The remote SSH server is configured to allow weak encryption algorithms.
This plugin detects the encryption algorithms supported by the remote SSH server and reports algorithms known to be weak.
Contact the vendor or consult product documentation to remove the weak ciphers.
Risk Factor
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2016/04/04, Modification date: 2016/04/04
The following weak server-to-client encryption algorithms are supported :
The following weak client-to-server encryption algorithms are supported :

I’ve deployed with a Trellis version downloaded on 13/01/2016

If it’s indeed enabled … How can I disable it @swalkinshaw ? The website was deployed without ssl enabled. May this be the issue?

Oh it’s talking about SSH and not HTTPS.

You can customize the sshd config here:

There’s a Protocol setting which can be set to 2. Although the docs say that 2 is the default.

If you figure this out then it would be nice to submit a PR to Trellis itself.

1 Like

what is your opinion about this post: do you think its outdated ? I’ll try to dive into the trellis sshd config but I’m not an security expert so your insights will be very helpful to me. Thank you once again.


Looks good :thumbsup: would result in a much more secure SSH server.