wiki

User Tools

Site Tools

Trace:
aix:aix_ssh_howto

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
aix:aix_ssh_howto [2024/06/03 14:17]
manu [CIS AIX 7.2] 		aix:aix_ssh_howto [2025/01/15 23:25] (current)
manu [List ciphers and Macs on client]
Line 251: Line 251:
  
 To prevent usage for specific Ciphers or KexAlgorithms,​ you can also exclude some: To prevent usage for specific Ciphers or KexAlgorithms,​ you can also exclude some:
-  ​kexalgorithms  ​-*sha1,​*sha1-* +  ​KexAlgorithms ​-*sha1,​*sha1-* 
-  ​macs -*sha1,​*sha1-*+  ​MACs -*sha1,​*sha1-*
   ​   ​
 Full specs (second example) Full specs (second example)
Line 294: Line 294:
 </​cli>​ </​cli>​
  
 +==== Add timeout ====
 +
 +If an host doesn'​t answer, the timeout will stop the connexion
 +<cli prompt='#'>​
 +#  ssh -o ConnectTimeout=10 $i uname
 +</​cli>​
 ==== Boost ssh connection ==== ==== Boost ssh connection ====
  
Line 309: Line 315:
 sys    0m0.00s sys    0m0.00s
 </​cli>​ </​cli>​
 +
 +
 +==== Bad cipher or MAC ====
 +
 +I can specify the cipher and the MAC:
 +  ssh <​user@ip>​ -c aes256-cbc -m hmac-sha1
 +
 +
 +==== no matching host key type found ====
 +
 +Error with sha1 keys
 +<cli prompt='>'>​
 +[root@aixa001]/​root/​scripts>​ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USERID@10.0.1.11
 +Unable to negotiate with 10.0.1.11 port 22: no matching host key type found. Their offer: ssh-rsa
 +
 +[root@aixa001]/​root/​scripts>​ ssh -o HostKeyAlgorithms=+ssh-rsa USERID@10.0.1.11
 +The authenticity of host '​10.0.1.11 (10.0.1.11)'​ can't be established.
 +RSA key fingerprint is SHA256:​fEia4p8Ylxxxxxxxxxxxxxxx23gMy3Iq0bmtmk/​1Q.
 +This key is not known by any other names.
 +Are you sure you want to continue connecting (yes/​no/​[fingerprint])?​ yes
 +Warning: Permanently added '​10.0.1.11'​ (RSA) to the list of known hosts.
 +(USERID@10.0.1.11) Enter login password:
 +</​cli>​
 +
 +You can also add some paramters into **/​etc/​ssh/​ssh_config**,​ or for a specific user **~/​.ssh/​config**\\
 +**Ex** for the error Their offer: ssh-dss
 +
 +~/​.ssh/​config
 +<​code>​
 +Host my.host.com *.myinsecure.net 10.0.1.*
 +    HostkeyAlgorithms +ssh-dss
 +    PubkeyAcceptedKeyTypes +ssh-dss
 +    KexAlgorithms diffie-hellman-group1-sha1  ​
 +</​code>​
 +
 +Or in command line
 +  ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.com
 +==== Disable SSH prompt ====
 +
 +
 +Using commad line:
 +
 +<cli prompt='>'>​
 +[root@aix001]/​root>​ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/​dev/​null -o LogLevel=ERROR aix002
 +</​cli>​
 +
 +Using a user config file: for a specific user create a file into home directory'​s **.ssh/​config**,​ or for all users into /​etc/​ssh/​ssh_config (LogLevel can also be QUIET : no error)
 +<​code>​
 +StrictHostKeyChecking no 
 +UserKnownHostsFile /​dev/​null ​
 +LogLevel ERROR
 +</​code>​
 +
 +==== Error: hostfile_replace_entries ====
 +
 +
 +Error:
 +<cli prompt='>'>​
 +[root@aix001]/​root>​ ssh server001
 +update_known_hosts:​ hostfile_replace_entries failed for /​root/​.ssh/​known_hosts:​ Operation not permitted
 +</​cli>​
 +
 +Resolution
 +<cli prompt='>'>​
 +[root@aix001]/​root>​ ssh-keyscan -H server001 >> ~/​.ssh/​known_hosts
 +# server001 SSH-2.0-OpenSSH_8.1
 +# server001 SSH-2.0-OpenSSH_8.1
 +# server001 SSH-2.0-OpenSSH_8.1
 +# server001 SSH-2.0-OpenSSH_8.1
 +</​cli>​
 +
 +==== Edit a file on a remote host ==== 
 +
 +Use ssh command with **-t** option
 +
 +==== SCP Connection closed ==== 
 +
 +Use the option **-O** tells SCP to use legacy SCP protocol for file transfers
 +<cli prompt='#'>​
 +[root@aix001]/​root/​scripts#​ scp  count_path.sh padmin@vios01:/​tmp
 +scp: Connection closed
 +[root@aix001]/​root/​scripts#​ scp -O  count_path.sh padmin@vios01:/​tmp
 +count_path.sh ​                                       100% 1972     ​1.9MB/​s ​  00:00
 +</​cli>​
 +
 +**Note:** Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol.
 +
 +==== List ciphers and Macs on client ==== 
 +
 +
 +  * Ciphers: ssh -Q cipher
 +  * MACs: ssh -Q mac
 +  * KexAlgorithms:​ ssh -Q kex
 +  * PubkeyAcceptedKeyTypes:​ ssh -Q key
 +
 +You can also remotely probe a ssh server for its supported ciphers with recent nmap versions:
 +<cli prompt='#'>​
 +# nmap --script ssh2-enum-algos -sV -p <​port>​ <​host>​
 +</​cli>​
 +
 +<cli prompt='#'>​
 +[root@vios]/​etc/​ssh#​ ssh -Q cipher
 +3des-cbc
 +aes128-cbc
 +aes192-cbc
 +aes256-cbc
 +aes128-ctr
 +aes192-ctr
 +aes256-ctr
 +aes128-gcm@openssh.com
 +aes256-gcm@openssh.com
 +chacha20-poly1305@openssh.com
 +
 +[root@vios]/​etc/​ssh#​ ssh -Q mac
 +hmac-sha1
 +hmac-sha1-96
 +hmac-sha2-256
 +hmac-sha2-512
 +hmac-md5
 +hmac-md5-96
 +umac-64@openssh.com
 +umac-128@openssh.com
 +hmac-sha1-etm@openssh.com
 +hmac-sha1-96-etm@openssh.com
 +hmac-sha2-256-etm@openssh.com
 +hmac-sha2-512-etm@openssh.com
 +hmac-md5-etm@openssh.com
 +hmac-md5-96-etm@openssh.com
 +umac-64-etm@openssh.com
 +umac-128-etm@openssh.com
 +</​cli>​
 +
 +==== Connection slow ====
 +
 +Check using **ssh -vvv <​hostname>​**,​ if it hangs on 
 +  debug1: Next authentication method: gssapi-with-mic
 +
 +Change the following parameter in the file **/​etc/​ssh/​sshd_config**
 +    GSSAPIAuthentication no
 +  ​
 +FIXME On some new Linux versions, check also the files located in the folder **/​etc/​ssh/​sshd_config.d/​**
  
aix/aix_ssh_howto.1717417077.txt.gz · Last modified: 2024/06/03 14:17 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki