如何为 SSH 客户端列出可用的主机密钥算法？

Question

如何为 SSH 客户端列出可用的主机密钥算法？

所以 ssh 有选项HostKeyAlgorithms。示例用法：

ssh -o "HostKeyAlgorithms ssh-rsa" user@hostname

Run Code Online (Sandbox Code Playgroud)

我试图让客户端使用服务器ecdsa密钥进行连接，但我找不到正确的字符串。

我可以使用什么命令来获取可用的列表HostKeyAlgorithms？

Answer 1

thr*_*rig 24

ssh -Q key

Run Code Online (Sandbox Code Playgroud)

除非你有一个旧版本的 OpenSSH，在这种情况下 uhhhh 源代码潜水，或者运行ssh -v -v -v ...看看你想要的东西是否出现在那里。

我得到这个： ssh：非法选项 -- Q (2认同)

Answer 2

VaT*_*aTo 17

从ssh_config manual页面：

HostKeyAlgorithms
             Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference.  The default for this option is:

                ecdsa-sha2-nistp256-cert-v01@openssh.com,
                ecdsa-sha2-nistp384-cert-v01@openssh.com,
                ecdsa-sha2-nistp521-cert-v01@openssh.com,
                ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,
                ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,
                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                ssh-rsa,ssh-dss

             If hostkeys are known for the destination host then this default is modified to prefer their algorithms.

Run Code Online (Sandbox Code Playgroud)

Answer 3

Mik*_*inn 9

似乎没有人正确阅读有关该-Q标志的文档ssh。

\n

man ssh说：

\n

-Q query_option\n             Queries ssh for the algorithms supported for the specified version 2.  The available features are:\n             cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenti\xe2\x80\x90\n             cated encryption), help (supported query terms for use with the -Q flag), mac (supported message integ\xe2\x80\x90\n             rity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algorithms), key (key types),\n             key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and sig\xe2\x80\x90\n             nature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature al\xe2\x80\x90\n             gorithms).  Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list\n             may be used as an alias for the corresponding query_option.\n

Run Code Online (Sandbox Code Playgroud)\n

以下是如何使用ssh -Q转储有关已安装的 ssh 版本的所有可用信息：

\n

for F in $(ssh -Q help); do \n  printf "=== $F ===\\n"\n  ssh -Q $F\n  echo ""\ndone\n

Run Code Online (Sandbox Code Playgroud)\n

我的输出是：

\n

=== cipher ===\n3des-cbc\naes128-cbc\naes192-cbc\naes256-cbc\nrijndael-cbc@lysator.liu.se\naes128-ctr\naes192-ctr\naes256-ctr\naes128-gcm@openssh.com\naes256-gcm@openssh.com\nchacha20-poly1305@openssh.com\n\n=== cipher-auth ===\naes128-gcm@openssh.com\naes256-gcm@openssh.com\nchacha20-poly1305@openssh.com\n\n=== mac ===\nhmac-sha1\nhmac-sha1-96\nhmac-sha2-256\nhmac-sha2-512\nhmac-md5\nhmac-md5-96\numac-64@openssh.com\numac-128@openssh.com\nhmac-sha1-etm@openssh.com\nhmac-sha1-96-etm@openssh.com\nhmac-sha2-256-etm@openssh.com\nhmac-sha2-512-etm@openssh.com\nhmac-md5-etm@openssh.com\nhmac-md5-96-etm@openssh.com\numac-64-etm@openssh.com\numac-128-etm@openssh.com\n\n=== kex ===\ndiffie-hellman-group1-sha1\ndiffie-hellman-group14-sha1\ndiffie-hellman-group14-sha256\ndiffie-hellman-group16-sha512\ndiffie-hellman-group18-sha512\ndiffie-hellman-group-exchange-sha1\ndiffie-hellman-group-exchange-sha256\necdh-sha2-nistp256\necdh-sha2-nistp384\necdh-sha2-nistp521\ncurve25519-sha256\ncurve25519-sha256@libssh.org\nsntrup4591761x25519-sha512@tinyssh.org\n\n=== kex-gss ===\ngss-gex-sha1-\ngss-group1-sha1-\ngss-group14-sha1-\ngss-group14-sha256-\ngss-group16-sha512-\ngss-nistp256-sha256-\ngss-curve25519-sha256-\n\n=== key ===\nssh-ed25519\nssh-ed25519-cert-v01@openssh.com\nsk-ssh-ed25519@openssh.com\nsk-ssh-ed25519-cert-v01@openssh.com\nssh-rsa\nssh-dss\necdsa-sha2-nistp256\necdsa-sha2-nistp384\necdsa-sha2-nistp521\nsk-ecdsa-sha2-nistp256@openssh.com\nssh-rsa-cert-v01@openssh.com\nssh-dss-cert-v01@openssh.com\necdsa-sha2-nistp256-cert-v01@openssh.com\necdsa-sha2-nistp384-cert-v01@openssh.com\necdsa-sha2-nistp521-cert-v01@openssh.com\nsk-ecdsa-sha2-nistp256-cert-v01@openssh.com\n\n=== key-cert ===\nssh-ed25519-cert-v01@openssh.com\nsk-ssh-ed25519-cert-v01@openssh.com\nssh-rsa-cert-v01@openssh.com\nssh-dss-cert-v01@openssh.com\necdsa-sha2-nistp256-cert-v01@openssh.com\necdsa-sha2-nistp384-cert-v01@openssh.com\necdsa-sha2-nistp521-cert-v01@openssh.com\nsk-ecdsa-sha2-nistp256-cert-v01@openssh.com\n\n=== key-plain ===\nssh-ed25519\nsk-ssh-ed25519@openssh.com\nssh-rsa\nssh-dss\necdsa-sha2-nistp256\necdsa-sha2-nistp384\necdsa-sha2-nistp521\nsk-ecdsa-sha2-nistp256@openssh.com\n\n=== key-sig ===\nssh-ed25519\nssh-ed25519-cert-v01@openssh.com\nsk-ssh-ed25519@openssh.com\nsk-ssh-ed25519-cert-v01@openssh.com\nssh-rsa\nrsa-sha2-256\nrsa-sha2-512\nssh-dss\necdsa-sha2-nistp256\necdsa-sha2-nistp384\necdsa-sha2-nistp521\nsk-ecdsa-sha2-nistp256@openssh.com\nssh-rsa-cert-v01@openssh.com\nrsa-sha2-256-cert-v01@openssh.com\nrsa-sha2-512-cert-v01@openssh.com\nssh-dss-cert-v01@openssh.com\necdsa-sha2-nistp256-cert-v01@openssh.com\necdsa-sha2-nistp384-cert-v01@openssh.com\necdsa-sha2-nistp521-cert-v01@openssh.com\nsk-ecdsa-sha2-nistp256-cert-v01@openssh.com\n\n=== protocol-version ===\n2\n\n=== sig ===\nssh-ed25519\nsk-ssh-ed25519@openssh.com\nssh-rsa\nrsa-sha2-256\nrsa-sha2-512\nssh-dss\necdsa-sha2-nistp256\necdsa-sha2-nistp384\necdsa-sha2-nistp521\nsk-ecdsa-sha2-nistp256@openssh.com\n

Run Code Online (Sandbox Code Playgroud)\n

在调试时查询ssh尝试使用该选项连接到主机时实际使用的配置可能会有所帮助-G。这将列出所有配置选项，包括为cipher、mac和参数选择的值。hostKeyAlgorithmKexAlgorithm

\n

ssh -G user@somehost.example.com\n

Run Code Online (Sandbox Code Playgroud)\n

这是典型的输出：

\n

user ubuntu\nhostname 35.171.333.444\nport 22\naddkeystoagent false\naddressfamily any\nbatchmode no\ncanonicalizefallbacklocal yes\ncanonicalizehostname false\nchallengeresponseauthentication yes\ncheckhostip yes\ncompression yes\ncontrolmaster false\nenablesshkeysign no\nclearallforwardings no\nexitonforwardfailure no\nfingerprinthash SHA256\nforwardx11 yes\nforwardx11trusted yes\ngatewayports no\ngssapiauthentication yes\ngssapikeyexchange no\ngssapidelegatecredentials no\ngssapitrustdns no\ngssapirenewalforcesrekey no\ngssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-\nhashknownhosts yes\nhostbasedauthentication no\nidentitiesonly no\nkbdinteractiveauthentication yes\nnohostauthenticationforlocalhost no\npasswordauthentication yes\npermitlocalcommand no\nproxyusefdpass no\npubkeyauthentication yes\nrequesttty auto\nstreamlocalbindunlink no\nstricthostkeychecking ask\ntcpkeepalive yes\ntunnel false\nverifyhostkeydns false\nvisualhostkey no\nupdatehostkeys false\ncanonicalizemaxdots 1\nconnectionattempts 1\nforwardx11timeout 1200\nnumberofpasswordprompts 3\nserveralivecountmax 3\nserveraliveinterval 0\nciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\nhostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa\nhostbasedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa\nignoreunknown Password\nkexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\ncasignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256\nloglevel INFO\nmacs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\nsecuritykeyprovider internal\npubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa\nxauthlocation /usr/bin/xauth\nidentityfile ~/.ssh/rsa-2020-11-03\ncanonicaldomains\nglobalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2\nuserknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2\nsendenv LANG\nsendenv LC_*\nforwardagent yes\nconnecttimeout none\ntunneldevice any:any\ncontrolpersist no\nescapechar ~\nipqos lowdelay throughput\nrekeylimit 0 0\nstreamlocalbindmask 0177\nsyslogfacility USER\n

Run Code Online (Sandbox Code Playgroud)\n

归档时间：	10 年，1 月前
查看次数：	55179 次
最近记录：	4 年，10 月前