How do I verify if Debian supports given HostKeyAlgorithms before restarting the ssh service?

aexl asked:

I have a shell script which adds the below to sshd_config and then restarts ssh.

cat << EOF >> /etc/ssh/sshd_config
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512,[email protected]
EOF

It worked fine until I ran it on a Debian 8 box where the given HostKeyAlgorithms aren’t supported, so ssh wouldn’t start. Removing the HostKeyAlgorithms line using emergency console fixed the issue and ssh started.

Is there a clever way for that script to check if these HostKeyAlgorithms (and maybe KexAlgorithms, Ciphers and MACs) are supported by SSH before restarting it and risking getting locked out?

My answer:


You can just use the query option, as shown in the man page:

     -Q query_option
             Queries ssh for the algorithms supported for the specified ver‐
             sion 2.  The available features are: cipher (supported symmetric
             ciphers), cipher-auth (supported symmetric ciphers that support
             authenticated encryption), help (supported query terms for use
             with the -Q flag), mac (supported message integrity codes), kex
             (key exchange algorithms), kex-gss (GSSAPI key exchange algo‐
             rithms), key (key types), key-cert (certificate key types),
             key-plain (non-certificate key types), key-sig (all key types and
             signature algorithms), protocol-version (supported SSH protocol
             versions), and sig (supported signature algorithms).  Alterna‐
             tively, any keyword from ssh_config(5) or sshd_config(5) that
             takes an algorithm list may be used as an alias for the corre‐
             sponding query_option.

For example:

[email protected]:~$ ssh -Q key
ssh-ed25519
[email protected]
...

Check your man page, as you have a much older version of OpenSSH on that old distro and will not have all of the above options available.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.