diff --git a/core/config.js b/core/config.js
index 3d7c6d70..02b34911 100644
--- a/core/config.js
+++ b/core/config.js
@@ -242,6 +242,57 @@ function getDefaultConfig() {
                 privateKeyPem       : paths.join(__dirname, './../config/ssh_private_key.pem'),
                 firstMenu           : 'sshConnected',
                 firstMenuNewUser    : 'sshConnectedNewUser',
+
+                //
+                //  SSH details that can affect security. Stronger ciphers are better for example,
+                //  but terminals such as SyncTERM require KEX diffie-hellman-group14-sha1,
+                //  cipher 3des-cbc, etc.
+                //
+                //  See https://github.com/mscdex/ssh2-streams for the full list of supported
+                //  algorithms.
+                //
+                algorithms : {
+                    kex : [
+                        'ecdh-sha2-nistp256',
+                        'ecdh-sha2-nistp384',
+                        'ecdh-sha2-nistp521',
+                        'diffie-hellman-group-exchange-sha256',
+                        'diffie-hellman-group14-sha1',
+                        'diffie-hellman-group-exchange-sha1',
+                        'diffie-hellman-group1-sha1',
+                    ],
+                    cipher : [
+                        'aes128-ctr',
+                        'aes192-ctr',
+                        'aes256-ctr',
+                        'aes128-gcm',
+                        'aes128-gcm@openssh.com',
+                        'aes256-gcm',
+                        'aes256-gcm@openssh.com',
+                        'aes256-cbc',
+                        'aes192-cbc',
+                        'aes128-cbc',
+                        'blowfish-cbc',
+                        '3des-cbc',
+                        'arcfour256',
+                        'arcfour128',
+                        'cast128-cbc',
+                        'arcfour',
+                    ],
+                    hmac : [
+                        'hmac-sha2-256',
+                        'hmac-sha2-512',
+                        'hmac-sha1',
+                        'hmac-md5',
+                        'hmac-sha2-256-96',
+                        'hmac-sha2-512-96',
+                        'hmac-ripemd160',
+                        'hmac-sha1-96',
+                        'hmac-md5-96',
+                    ],
+                    //  note that we disable compression by default due to issues with many clients. YMMV.
+                    compress : [ 'none' ]
+                },
             },
             webSocket : {
                 ws : {
diff --git a/core/servers/login/ssh.js b/core/servers/login/ssh.js
index 016c215e..f9186cf9 100644
--- a/core/servers/login/ssh.js
+++ b/core/servers/login/ssh.js
@@ -251,12 +251,13 @@ exports.getModule = class SSHServerModule extends LoginServerModule {
             ident : 'enigma-bbs-' + enigVersion + '-srv',
 
             //  Note that sending 'banner' breaks at least EtherTerm!
+
             debug : (sshDebugLine) => {
                 if(true === config.loginServers.ssh.traceConnections) {
                     Log.trace(`SSH: ${sshDebugLine}`);
                 }
             },
-            algorithms: { compress: ['none'] },
+            algorithms : config.loginServers.ssh.algorithms,
         };
 
         this.server = ssh2.Server(serverConf);