I have a shell script which adds the below to
sshd_config and then restarts ssh.
cat << EOF >> /etc/ssh/sshd_config KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected],[email protected] MACs [email protected],[email protected],[email protected] HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512,[email protected] EOF
It worked fine until I ran it on a Debian 8 box where the given
HostKeyAlgorithms aren’t supported, so ssh wouldn’t start. Removing the
HostKeyAlgorithms line using emergency console fixed the issue and ssh started.
Is there a clever way for that script to check if these
HostKeyAlgorithms (and maybe
MACs) are supported by SSH before restarting it and risking getting locked out?
You can just use the query option, as shown in the man page:
-Q query_option Queries ssh for the algorithms supported for the specified ver‐ sion 2. The available features are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), help (supported query terms for use with the -Q flag), mac (supported message integrity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algo‐ rithms), key (key types), key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and signature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature algorithms). Alterna‐ tively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list may be used as an alias for the corre‐ sponding query_option.
[email protected]:~$ ssh -Q key ssh-ed25519 [email protected] ...
Check your man page, as you have a much older version of OpenSSH on that old distro and will not have all of the above options available.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.