Differences

This shows you the differences between two versions of the page.

--- aix:aix_ssh_howto [2024/05/28 15:32]
manu
+++ aix:aix_ssh_howto [2025/10/07 12:19] (current)
manu
@@ Line 1: / Line 1: @@
 ====== Howto use SSH ======
+Secure File Transfer Protocol (sftp) has been added, and the native “scp” has been deprecated – scp is stil supported, but under the covers will use sftp. Same usage as always, but can now be used in interactive mode, for example :
+  sftp -P22 adminuser@system
+Work arround for scp: **scp -O** user@host...
 ===== Client SSH =====
@@ Line 248: / Line 253: @@
 </code>
+FIXME
+To prevent usage for specific Ciphers or KexAlgorithms, you can also exclude some:
+  KexAlgorithms -*sha1,*sha1-*
+  MACs -*sha1,*sha1-*
+Full specs (second example)
+<code>
+Port 22
+ListenAddress 0.0.0.0
+Protocol 2
+RekeyLimit 1G 3600
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr
+LogLevel INFO
+PermitRootLogin without-password
+MaxAuthTries 4
+HostbasedAuthentication no
+IgnoreRhosts yes
+PermitEmptyPasswords no
+UsePAM yes
+AllowTcpForwarding no
+PermitUserEnvironment no
+ClientAliveInterval 3600
+ClientAliveCountMax 3
+PidFile /var/run/sshd.pid
+Banner /etc/ssh/ssh_banner
+Subsystem       sftp    /usr/sbin/sftp-server
+AllowUsers *
+AllowGroups *
+DenyUsers nobody
+DenyGroups ftpusers monitor
+kexalgorithms  -*sha1,*sha1-*
+macs -*sha1,*sha1-*
+</code>
 ===== SSH problems =====
@@ Line 259: / Line 299: @@
 </cli>
+==== Add timeout ====
+If an host doesn't answer, the timeout will stop the connexion
+<cli prompt='#'>
+#  ssh -o ConnectTimeout=10 $i uname
+</cli>
 ==== Boost ssh connection ====
@@ Line 274: / Line 320: @@
 sys    0m0.00s
 </cli>
+==== Bad cipher or MAC ====
+I can specify the cipher and the MAC:
+  ssh <user@ip> -c aes256-cbc -m hmac-sha1
+==== no matching host key type found ====
+Error with sha1 keys
+<cli prompt='>'>
+[root@aixa001]/root/scripts> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USERID@10.0.1.11
+Unable to negotiate with 10.0.1.11 port 22: no matching host key type found. Their offer: ssh-rsa
+[root@aixa001]/root/scripts> ssh -o HostKeyAlgorithms=+ssh-rsa USERID@10.0.1.11
+The authenticity of host '10.0.1.11 (10.0.1.11)' can't be established.
+RSA key fingerprint is SHA256:fEia4p8Ylxxxxxxxxxxxxxxx23gMy3Iq0bmtmk/1Q.
+This key is not known by any other names.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '10.0.1.11' (RSA) to the list of known hosts.
+(USERID@10.0.1.11) Enter login password:
+</cli>
+You can also add some paramters into **/etc/ssh/ssh_config**, or for a specific user **~/.ssh/config**\\
+**Ex** for the error Their offer: ssh-dss
+~/.ssh/config
+<code>
+Host my.host.com *.myinsecure.net 10.0.1.*
+    HostkeyAlgorithms +ssh-dss
+    PubkeyAcceptedKeyTypes +ssh-dss
+    KexAlgorithms diffie-hellman-group1-sha1
+</code>
+Or in command line
+  ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.com
+==== Disable SSH prompt ====
+Using commad line:
+<cli prompt='>'>
+[root@aix001]/root> ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR aix002
+</cli>
+Using a user config file: for a specific user create a file into home directory's **.ssh/config**, or for all users into /etc/ssh/ssh_config (LogLevel can also be QUIET : no error)
+<code>
+StrictHostKeyChecking no
+UserKnownHostsFile /dev/null
+LogLevel ERROR
+</code>
+==== Error: hostfile_replace_entries ====
+Error:
+<cli prompt='>'>
+[root@aix001]/root> ssh server001
+update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted
+</cli>
+Resolution
+<cli prompt='>'>
+[root@aix001]/root> ssh-keyscan -H server001 >> ~/.ssh/known_hosts
+# server001 SSH-2.0-OpenSSH_8.1
+# server001 SSH-2.0-OpenSSH_8.1
+# server001 SSH-2.0-OpenSSH_8.1
+# server001 SSH-2.0-OpenSSH_8.1
+</cli>
+==== Edit a file on a remote host ====
+Use ssh command with **-t** option
+==== SCP Connection closed ====
+Use the option **-O** tells SCP to use legacy SCP protocol for file transfers
+<cli prompt='#'>
+[root@aix001]/root/scripts# scp  count_path.sh padmin@vios01:/tmp
+scp: Connection closed
+[root@aix001]/root/scripts# scp -O  count_path.sh padmin@vios01:/tmp
+count_path.sh                                        100% 1972     1.9MB/s   00:00
+</cli>
+**Note:** Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol.
+==== List ciphers and Macs on client ====
+  * Ciphers: ssh -Q cipher
+  * MACs: ssh -Q mac
+  * KexAlgorithms: ssh -Q kex
+  * PubkeyAcceptedKeyTypes: ssh -Q key
+You can also remotely probe a ssh server for its supported ciphers with recent nmap versions:
+<cli prompt='#'>
+# nmap --script ssh2-enum-algos -sV -p <port> <host>
+</cli>
+<cli prompt='#'>
+[root@vios]/etc/ssh# ssh -Q cipher
+des-cbc
+aes128-cbc
+aes192-cbc
+aes256-cbc
+aes128-ctr
+aes192-ctr
+aes256-ctr
+aes128-gcm@openssh.com
+aes256-gcm@openssh.com
+chacha20-poly1305@openssh.com
+[root@vios]/etc/ssh# ssh -Q mac
+hmac-sha1
+hmac-sha1-96
+hmac-sha2-256
+hmac-sha2-512
+hmac-md5
+hmac-md5-96
+umac-64@openssh.com
+umac-128@openssh.com
+hmac-sha1-etm@openssh.com
+hmac-sha1-96-etm@openssh.com
+hmac-sha2-256-etm@openssh.com
+hmac-sha2-512-etm@openssh.com
+hmac-md5-etm@openssh.com
+hmac-md5-96-etm@openssh.com
+umac-64-etm@openssh.com
+umac-128-etm@openssh.com
+</cli>
+==== Connection slow ====
+Check using **ssh -vvv <hostname>**, if it hangs on
+  debug1: Next authentication method: gssapi-with-mic
+Change the following parameter in the file **/etc/ssh/sshd_config**
+    GSSAPIAuthentication no
+FIXME On some new Linux versions, check also the files located in the folder **/etc/ssh/sshd_config.d/**

wiki

User Tools

Site Tools

Differences

Page Tools