SSHクライアントで利用可能なホストキーアルゴリズムをどのようにリストできますか?

SSHクライアントで利用可能なホストキーアルゴリズムをどのようにリストできますか?

したがって、sshにはこのオプションがありますHostKeyAlgorithms。使用例:

ssh -o "HostKeyAlgorithms ssh-rsa" user@hostname

サーバーキーを使用してクライアントを接続しようとしていますが、ecdsa正しい文字列が見つかりませんでした。

利用可能なリストを取得するにはどのコマンドを使用できますかHostKeyAlgorithms

答え1

ssh -Q key

OpenSSHの古代バージョンがない場合は、ソースダイビングを実行または実行して、必要なものが表示されているssh -v -v -v ...ことを確認してください。

答え2

~からssh_config manualページ:

HostKeyAlgorithms
             Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference.  The default for this option is:

                [email protected],
                [email protected],
                [email protected],
                [email protected],[email protected],
                [email protected],[email protected],
                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                ssh-rsa,ssh-dss

             If hostkeys are known for the destination host then this default is modified to prefer their algorithms.

答え3

-Q誰もこのフラグに関する文書を正しく読んでいるようではありませんssh

man ssh説明する:

-Q query_option
             Queries ssh for the algorithms supported for the specified version 2.  The available features are:
             cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenti‐
             cated encryption), help (supported query terms for use with the -Q flag), mac (supported message integ‐
             rity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algorithms), key (key types),
             key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and sig‐
             nature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature al‐
             gorithms).  Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list
             may be used as an alias for the corresponding query_option.

ssh -QインストールされているSSHバージョンについて利用可能なすべての情報をダンプする方法は次のとおりです。

for F in $(ssh -Q help); do 
  printf "=== $F ===\n"
  ssh -Q $F
  echo ""
done

私の結果は次のとおりです

=== cipher ===
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]

=== cipher-auth ===
[email protected]
[email protected]
[email protected]

=== mac ===
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== kex ===
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]

=== kex-gss ===
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
gss-group14-sha256-
gss-group16-sha512-
gss-nistp256-sha256-
gss-curve25519-sha256-

=== key ===
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== key-cert ===
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== key-plain ===
ssh-ed25519
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]

=== key-sig ===
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== protocol-version ===
2

=== sig ===
ssh-ed25519
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]

sshこのオプションを使用してホストに接続しようとしたときに実際に使用される設定をデバッグするには、デバッグ時に役立ちます-G。これによりciphermacパラメータにhostKeyAlgorithm選択された値を含むすべての設定オプションが一覧表示されますKexAlgorithm

ssh -G [email protected]

これは一般的な出力です。

user ubuntu
hostname 35.171.333.444
port 22
addkeystoagent false
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
challengeresponseauthentication yes
checkhostip yes
compression yes
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 yes
forwardx11trusted yes
gatewayports no
gssapiauthentication yes
gssapikeyexchange no
gssapidelegatecredentials no
gssapitrustdns no
gssapirenewalforcesrekey no
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
hashknownhosts yes
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication yes
requesttty auto
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys false
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
ignoreunknown Password
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
securitykeyprovider internal
pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/rsa-2020-11-03
canonicaldomains
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
sendenv LANG
sendenv LC_*
forwardagent yes
connecttimeout none
tunneldevice any:any
controlpersist no
escapechar ~
ipqos lowdelay throughput
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER

答え4

この質問は、"list ssh "key exchange Algorithm""を検索するときの最初の答えなので、その答えも提供します。

クライアント SSH 鍵交換アルゴリズムをリストします。 ssh -Q kex

サーバー SSH 鍵交換アルゴリズムをリストします。 sudo sshd -T | grep kex

関連情報