How can I list MACs, Ciphers and KexAlogrithms supported by my ssh server?
How can I determine the supported MACs, Ciphers, Key length and KexAlogrithms supported by my ssh servers?
I need to create a list for an external security audit. I'm looking for something similar to openssl s_client -connect example.com:443 -showcerts
. From my research the ssh
uses the default ciphers as listed in man sshd_config
. However I need a solution I can use in a script and . I need to correct myself here: You can specify man sshd_config
does not list information about key lengthServerKeyBits
in sshd_config
.
I guess that ssh -vv localhost &> ssh_connection_specs.out
returns the information I need but I'm not sure if the listed ciphers are the ciphers supported the client or by the server. Also I'm not sure how to run this non interactive in a script.
Is there a convenient way to get SSH
connection information?
You miss few points in your question:
- What is your openssh version? It can differ a bit over the versions.
-
ServerKeyBits
is option for protocol version 1, which you have hopefully disabled!
Supported Ciphers, MACs and KexAlgorithms are always available in manual and this doesn't have anything in common with key lengths.
Enabled Chiphers, MACs and KexAlgorithms are the ones that are offered using connection as you point out. But they can be gained also in other ways, for example using sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
To get the key length of your server key(s), you can use ssh-keygen: ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
but you will probably want also the moduli sizes that are offered and used during the key exchange, but it really depends on the key exchange method, but it should be also readable from debug output ssh -vvv host
.
How can I determine the supported MACs, Ciphers, Key length and KexAlogrithms supported by my ssh servers?
It looks like the answer on https://superuser.com/a/1219759/173408 is also an answer to your question. It fits in one line:
nmap --script ssh2-enum-algos -sV -p 22 1.2.3.4
Here is the output on a plain Debian 9.4 machine with current SSH version:
Starting Nmap 7.01 ( https://nmap.org ) at 2018-05-22 13:40 CEST Nmap scan report for 1.2.3.4 Host is up (0.00024s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u3 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms: (10) | curve25519-sha256 | [email protected] | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group16-sha512 | diffie-hellman-group18-sha512 | diffie-hellman-group14-sha256 | diffie-hellman-group14-sha1 | server_host_key_algorithms: (5) | ssh-rsa | rsa-sha2-512 | rsa-sha2-256 | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (6) | [email protected] | aes128-ctr | aes192-ctr | aes256-ctr | [email protected] | [email protected] | mac_algorithms: (10) | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ [email protected] Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds