How can I find a list of MACs, Ciphers, and KexAlgorithms that my openssh client supports?
Solution 1:
Relevant OpenSSH man page: https://man.openbsd.org/ssh#Q
-
Ciphers
:ssh -Q cipher
-
MACs
:ssh -Q mac
-
KexAlgorithms
:ssh -Q kex
-
PubkeyAcceptedKeyTypes
:ssh -Q key
Solution 2:
You can also remotely probe a ssh server for its supported ciphers with recent nmap versions:
nmap --script ssh2-enum-algos -sV -p <port> <host>
And there is an online service called sshcheck.com
as well (and a pretty large number of similar scanner projects as I just found out).
Solution 3:
Some old versions of OpenSSH do not support the -Q
option, but this works for any ssh
and it has the benefit of showing both client and server options, without the need for any third party tools like nmap
:
ssh -vv username@servername
Scan the output to see what ciphers, KEX algos, and MACs are supported...
- by your client: "local client KEXINIT proposal"
- by the server: "peer server KEXINIT proposal"
...
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
...
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
...
Solution 4:
Just a quick tip that if you want to compare 2 servers you can use @eckes method like this:
$ sdiff -bW <(nmap --script ssh2-enum-algos -sV -p 22 192.168.1.107) <(nmap --script ssh2-enum-algos -sV -p 22 192.168.1.10)
Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-22 22:35 ES Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-22 22:35 ES
Nmap scan report for skinner.bubba.net (192.168.1.107) | Nmap scan report for mulder.bubba.net (192.168.1.10)
Host is up (0.0037s latency). | Host is up (0.0031s latency).
PORT STATE SERVICE VERSION PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | 22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh2-enum-algos: | ssh2-enum-algos:
| kex_algorithms: (3) | | kex_algorithms: (4)
> | diffie-hellman-group-exchange-sha256
| diffie-hellman-group-exchange-sha1 | diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1 | diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1 | diffie-hellman-group1-sha1
| server_host_key_algorithms: (2) | server_host_key_algorithms: (2)
| ssh-rsa | ssh-rsa
| ssh-dss | ssh-dss
| encryption_algorithms: (13) | encryption_algorithms: (13)
| aes128-ctr | aes128-ctr
| aes192-ctr | aes192-ctr
| aes256-ctr | aes256-ctr
| arcfour256 | arcfour256
| arcfour128 | arcfour128
| aes128-cbc | aes128-cbc
| 3des-cbc | 3des-cbc
| blowfish-cbc | blowfish-cbc
| cast128-cbc | cast128-cbc
| aes192-cbc | aes192-cbc
| aes256-cbc | aes256-cbc
| arcfour | arcfour
| [email protected] | [email protected]
| mac_algorithms: (6) | | mac_algorithms: (9)
| hmac-md5 | hmac-md5
| hmac-sha1 | hmac-sha1
> | [email protected]
> | hmac-sha2-256
> | hmac-sha2-512
| hmac-ripemd160 | hmac-ripemd160
| [email protected] | [email protected]
| hmac-sha1-96 | hmac-sha1-96
| hmac-md5-96 | hmac-md5-96
| compression_algorithms: (2) | compression_algorithms: (2)
| none | none
|_ [email protected] |_ [email protected]
Service detection performed. Please report any incorrect resu Service detection performed. Please report any incorrect resu
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds | Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
In the above I'm showing a side-by-side diff of a CentOS 5.x and 6.x server.
$ ssh [email protected] cat /etc/redhat-release
CentOS release 5.11 (Final)
$ ssh [email protected] cat /etc/redhat-release
CentOS release 6.8 (Final)
The output shows you that you have 4 additional lines in the CentOS 6.x server vs. 5.x.
Reading the output
There's 1 additional kex_algorithm:
- diffie-hellman-group-exchange-sha256
3 additional mac_algorithms:
- [email protected]
- hmac-sha2-256
- hmac-sha2-512