Bagaimana saya bisa menemukan daftar MAC, Ciphers, dan KexAlgorithms yang didukung oleh klien openssh saya?

49

Apakah ada cara untuk membuat sshkeluaran apa yang didukung oleh MAC, Ciphers, dan KexAlgorithms?

Saya ingin mencari tahu secara dinamis daripada harus melihat sumbernya.

Colin Dean
sumber
7
Anda juga dapat menyelidiki server ssh dari jarak jauh untuk sandi yang didukung dengan versi nmap terbaru:nmap --script ssh2-enum-algos -sV -p <port> <host>
eckes

Jawaban:

56

Halaman manual OpenSSH yang relevan: https://man.openbsd.org/ssh#Q

nlu
sumber
Aku tahu rasanya gila karena tidak bisa menemukannya.
Colin Dean
8
Tampaknya tersedia dari versi> = 6.x(atau tentu saja tidak tersedia di 5.9).
pevik
8
Pada versi OpenSSH lama, cara yang sangat jelek adalah:strings /usr/sbin/sshd |grep mac
Gert van den Berg
4
Secara khusus, -Qdiperkenalkan di versi 6.3 .
jjlin
19

Anda juga dapat menyelidiki server ssh dari jarak jauh untuk sandi yang didukung dengan versi nmap terbaru:

nmap --script ssh2-enum-algos -sV -p <port> <host>

Dan ada layanan online yang disebut sshcheck.comjuga (dan cukup banyak proyek pemindai serupa yang baru saja saya ketahui).

eckes
sumber
1

Hanya tip singkat bahwa jika Anda ingin membandingkan 2 server Anda dapat menggunakan metode @eckes seperti ini:

$ sdiff -bW <(nmap --script ssh2-enum-algos -sV -p 22 192.168.1.107) <(nmap --script ssh2-enum-algos -sV -p 22 192.168.1.10)

Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-22 22:35 ES   Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-22 22:35 ES
Nmap scan report for skinner.bubba.net (192.168.1.107)        | Nmap scan report for mulder.bubba.net (192.168.1.10)
Host is up (0.0037s latency).                                 | Host is up (0.0031s latency).
PORT   STATE SERVICE VERSION                                    PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)               | 22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
| ssh2-enum-algos:                                              | ssh2-enum-algos:
|   kex_algorithms: (3)                                       | |   kex_algorithms: (4)
                                                              > |       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1                      |       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1                             |       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1                              |       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (2)                             |   server_host_key_algorithms: (2)
|       ssh-rsa                                                 |       ssh-rsa
|       ssh-dss                                                 |       ssh-dss
|   encryption_algorithms: (13)                                 |   encryption_algorithms: (13)
|       aes128-ctr                                              |       aes128-ctr
|       aes192-ctr                                              |       aes192-ctr
|       aes256-ctr                                              |       aes256-ctr
|       arcfour256                                              |       arcfour256
|       arcfour128                                              |       arcfour128
|       aes128-cbc                                              |       aes128-cbc
|       3des-cbc                                                |       3des-cbc
|       blowfish-cbc                                            |       blowfish-cbc
|       cast128-cbc                                             |       cast128-cbc
|       aes192-cbc                                              |       aes192-cbc
|       aes256-cbc                                              |       aes256-cbc
|       arcfour                                                 |       arcfour
|       [email protected]                             |       [email protected]
|   mac_algorithms: (6)                                       | |   mac_algorithms: (9)
|       hmac-md5                                                |       hmac-md5
|       hmac-sha1                                               |       hmac-sha1
                                                              > |       [email protected]
                                                              > |       hmac-sha2-256
                                                              > |       hmac-sha2-512
|       hmac-ripemd160                                          |       hmac-ripemd160
|       [email protected]                              |       [email protected]
|       hmac-sha1-96                                            |       hmac-sha1-96
|       hmac-md5-96                                             |       hmac-md5-96
|   compression_algorithms: (2)                                 |   compression_algorithms: (2)
|       none                                                    |       none
|_      [email protected]                                        |_      [email protected]

Service detection performed. Please report any incorrect resu   Service detection performed. Please report any incorrect resu
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds   | Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Dalam contoh di atas, saya menunjukkan server Side-by-side diff dari CentOS 5.x dan 6.x.

$ ssh [email protected] cat /etc/redhat-release
CentOS release 5.11 (Final)
$ ssh [email protected] cat /etc/redhat-release
CentOS release 6.8 (Final)

Output menunjukkan kepada Anda bahwa Anda memiliki 4 baris tambahan di server CentOS 6.x vs 5.x.

Membaca hasilnya

Ada 1 kex_algorithm tambahan:

  • diffie-hellman-group-exchange-sha256

3 mac_algorithms tambahan:

slm
sumber
0

Beberapa versi lama dari OpenSSH tidak mendukung opsi -Q, jadi ini berfungsi untuk ssh apa pun dan memiliki manfaat memperlihatkan opsi klien dan server , tidak perlu alat bantu pihak ke-3 seperti nmap:

ssh -vvv username@servername

Pindai output untuk "proposal KEXINIT klien lokal" dan Anda akan melihat cipher dan algo dan MAC KEX apa yang didukung oleh klien.

"proposal KEXINIT peer server" akan menunjukkan kepada Anda apa yang didukung server.

...
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
...
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
...
arainchi
sumber