如何找到我的 openssh 用戶端支援的 MAC、密碼和 KexAlgorithms 清單？

Question 1

相關 OpenSSH 手冊頁：https://man.openbsd.org/ssh#Q

Ciphers:ssh -Q cipher
MACs:ssh -Q mac
KexAlgorithms:ssh -Q kex
PubkeyAcceptedKeyTypes:ssh -Q key

Answer

相關 OpenSSH 手冊頁：https://man.openbsd.org/ssh#Q

Ciphers:ssh -Q cipher
MACs:ssh -Q mac
KexAlgorithms:ssh -Q kex
PubkeyAcceptedKeyTypes:ssh -Q key

Question 2

您還可以使用最新的 nmap 版本遠端探測 ssh 伺服器以取得其支援的密碼：

nmap --script ssh2-enum-algos -sV -p <port> <host>

還有一個線上服務叫做sshcheck.com以及（以及我剛剛發現的大量類似的掃描器項目）。

Answer

您還可以使用最新的 nmap 版本遠端探測 ssh 伺服器以取得其支援的密碼：

nmap --script ssh2-enum-algos -sV -p <port> <host>

還有一個線上服務叫做sshcheck.com以及（以及我剛剛發現的大量類似的掃描器項目）。

Question 3

一些舊版本的 OpenSSH 不支援該-Q選項，但這適用於任何版本ssh，並且具有顯示兩者的優點客戶和伺服器選項，無需任何第三方工具，例如nmap：

ssh -vv username@servername

掃描輸出以查看支援哪些密碼、KEX 演算法和 MAC...

由您的客戶：“本地客戶 KEXINIT 提案”
透過伺服器：“對等伺服器 KEXINIT 提案”

...
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
...
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
...

Answer

一些舊版本的 OpenSSH 不支援該-Q選項，但這適用於任何版本ssh，並且具有顯示兩者的優點客戶和伺服器選項，無需任何第三方工具，例如nmap：

ssh -vv username@servername

掃描輸出以查看支援哪些密碼、KEX 演算法和 MAC...

由您的客戶：“本地客戶 KEXINIT 提案”
透過伺服器：“對等伺服器 KEXINIT 提案”

...
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
...
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
...

Question 4

# sudo sshd -T | egrep 'ciphers|macs|kexalgo'

Answer

# sudo sshd -T | egrep 'ciphers|macs|kexalgo'

如何找到我的 openssh 用戶端支援的 MAC、密碼和 KexAlgorithms 清單？

答案1

答案2

答案3

答案4

相關內容