Description
The compression option is no longer a security risk,
as the compression now only occurs after the user has been authenticated.
The reason why it used to be a security risk is because it was possible for compression
to happen before authenticating the user, this feature has been completely removed.
So, the only and recommended value of compression should be yes. As per default.
Source: openssh, release 7.4
sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.