aexl asked:
I have a shell script which adds the below to sshd_config and then restarts ssh.
cat << EOF >> /etc/ssh/sshd_config
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512,[email protected]
EOF
It worked fine until I ran it on a Debian 8 box where the given HostKeyAlgorithms aren’t supported, so ssh wouldn’t start. Removing the HostKeyAlgorithms line using emergency console fixed the issue and ssh started.
Is there a clever way for that script to check if these HostKeyAlgorithms (and maybe KexAlgorithms, Ciphers and MACs) are supported by SSH before restarting it and risking getting locked out?
My answer:
You can just use the query option, as shown in the man page:
-Q query_option
Queries ssh for the algorithms supported for the specified ver‐
sion 2. The available features are: cipher (supported symmetric
ciphers), cipher-auth (supported symmetric ciphers that support
authenticated encryption), help (supported query terms for use
with the -Q flag), mac (supported message integrity codes), kex
(key exchange algorithms), kex-gss (GSSAPI key exchange algo‐
rithms), key (key types), key-cert (certificate key types),
key-plain (non-certificate key types), key-sig (all key types and
signature algorithms), protocol-version (supported SSH protocol
versions), and sig (supported signature algorithms). Alterna‐
tively, any keyword from ssh_config(5) or sshd_config(5) that
takes an algorithm list may be used as an alias for the corre‐
sponding query_option.
For example:
[email protected]:~$ ssh -Q key
ssh-ed25519
[email protected]
...
Check your man page, as you have a much older version of OpenSSH on that old distro and will not have all of the above options available.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.