openssh 클라이언트가 지원하는 MAC, 암호 및 KexAlgorithms 목록을 어떻게 찾을 수 있습니까?

ssh지원하는 MAC, 암호 및 KexAlgorithms를 출력 하는 방법이 있습니까?

소스를 보지 않고 동적으로 찾고 싶습니다.

관련 OpenSSH 매뉴얼 페이지 : https://man.openbsd.org/ssh#Q

• Ciphers: ssh -Q cipher
• MACs: ssh -Q mac
• KexAlgorithms: ssh -Q kex
• PubkeyAcceptedKeyTypes: ssh -Q key

최신 nmap 버전을 사용하여 지원되는 암호에 대해 ssh 서버를 원격으로 프로브 할 수도 있습니다.

nmap --script ssh2-enum-algos -sV -p <port> <host>

그리고 온라인 서비스 sshcheck.com도 있습니다 (방금 찾은 꽤 많은 유사한 스캐너 프로젝트).

두 개의 서버를 비교하려면 @eckes 방법을 다음과 같이 사용할 수 있다는 간단한 팁입니다.

$ sdiff -bW <(nmap --script ssh2-enum-algos -sV -p 22 192.168.1.107) <(nmap --script ssh2-enum-algos -sV -p 22 192.168.1.10)

Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-22 22:35 ES   Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-22 22:35 ES
Nmap scan report for skinner.bubba.net (192.168.1.107)        | Nmap scan report for mulder.bubba.net (192.168.1.10)
Host is up (0.0037s latency).                                 | Host is up (0.0031s latency).
PORT   STATE SERVICE VERSION                                    PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)               | 22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
| ssh2-enum-algos:                                              | ssh2-enum-algos:
|   kex_algorithms: (3)                                       | |   kex_algorithms: (4)
                                                              > |       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group-exchange-sha1                      |       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group14-sha1                             |       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1                              |       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (2)                             |   server_host_key_algorithms: (2)
|       ssh-rsa                                                 |       ssh-rsa
|       ssh-dss                                                 |       ssh-dss
|   encryption_algorithms: (13)                                 |   encryption_algorithms: (13)
|       aes128-ctr                                              |       aes128-ctr
|       aes192-ctr                                              |       aes192-ctr
|       aes256-ctr                                              |       aes256-ctr
|       arcfour256                                              |       arcfour256
|       arcfour128                                              |       arcfour128
|       aes128-cbc                                              |       aes128-cbc
|       3des-cbc                                                |       3des-cbc
|       blowfish-cbc                                            |       blowfish-cbc
|       cast128-cbc                                             |       cast128-cbc
|       aes192-cbc                                              |       aes192-cbc
|       aes256-cbc                                              |       aes256-cbc
|       arcfour                                                 |       arcfour
|       rijndael-cbc@lysator.liu.se                             |       rijndael-cbc@lysator.liu.se
|   mac_algorithms: (6)                                       | |   mac_algorithms: (9)
|       hmac-md5                                                |       hmac-md5
|       hmac-sha1                                               |       hmac-sha1
                                                              > |       umac-64@openssh.com
                                                              > |       hmac-sha2-256
                                                              > |       hmac-sha2-512
|       hmac-ripemd160                                          |       hmac-ripemd160
|       hmac-ripemd160@openssh.com                              |       hmac-ripemd160@openssh.com
|       hmac-sha1-96                                            |       hmac-sha1-96
|       hmac-md5-96                                             |       hmac-md5-96
|   compression_algorithms: (2)                                 |   compression_algorithms: (2)
|       none                                                    |       none
|_      zlib@openssh.com                                        |_      zlib@openssh.com

Service detection performed. Please report any incorrect resu   Service detection performed. Please report any incorrect resu
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds   | Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

위의 CentOS 5.x 및 6.x 서버의 단계별 차이점을 보여줍니다.

$ ssh root@192.168.1.107 cat /etc/redhat-release
CentOS release 5.11 (Final)
$ ssh root@192.168.1.10 cat /etc/redhat-release
CentOS release 6.8 (Final)

결과는 CentOS 6.x 서버 대 5.x에 4 개의 추가 라인이 있음을 보여줍니다.

출력값 읽기

kex_algorithm이 1 개 더 있습니다 :

• diffie-hellman-group-exchange-sha256

3 가지 추가 mac_algorithms :

• umac-64@openssh.com
• hmac-sha2-256
• hmac-sha2-512

일부 이전 버전의 OpenSSH는 -Q 옵션을 지원하지 않으므로 이것은 모든 ssh에서 작동하며 nmap과 같은 타사 도구가 필요없이 클라이언트 및 서버 옵션 을 모두 표시하는 이점이 있습니다.

ssh -vvv username@servername

"로컬 클라이언트 KEXINIT 제안"에 대한 출력을 스캔하면 클라이언트가 어떤 암호 및 KEX 알고리즘 및 MAC을 지원하는지 확인할 수 있습니다.

"피어 서버 KEXINIT 제안"은 서버가 지원하는 것을 보여줍니다.

...
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
...
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
...