This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
aix:aix_ssh_howto [2024/08/09 20:58] manu [Disable SSH prompt] |
aix:aix_ssh_howto [2025/01/15 23:25] (current) manu [List ciphers and Macs on client] |
||
---|---|---|---|
Line 294: | Line 294: | ||
</cli> | </cli> | ||
+ | ==== Add timeout ==== | ||
+ | |||
+ | If an host doesn't answer, the timeout will stop the connexion | ||
+ | <cli prompt='#'> | ||
+ | # ssh -o ConnectTimeout=10 $i uname | ||
+ | </cli> | ||
==== Boost ssh connection ==== | ==== Boost ssh connection ==== | ||
Line 309: | Line 315: | ||
sys 0m0.00s | sys 0m0.00s | ||
</cli> | </cli> | ||
+ | |||
+ | |||
+ | ==== Bad cipher or MAC ==== | ||
+ | |||
+ | I can specify the cipher and the MAC: | ||
+ | ssh <user@ip> -c aes256-cbc -m hmac-sha1 | ||
+ | |||
==== no matching host key type found ==== | ==== no matching host key type found ==== | ||
Line 355: | Line 368: | ||
</code> | </code> | ||
- | ==== Disable SSH prompt ==== | + | ==== Error: hostfile_replace_entries ==== |
Line 376: | Line 389: | ||
Use ssh command with **-t** option | Use ssh command with **-t** option | ||
+ | |||
+ | ==== SCP Connection closed ==== | ||
+ | |||
+ | Use the option **-O** tells SCP to use legacy SCP protocol for file transfers | ||
+ | <cli prompt='#'> | ||
+ | [root@aix001]/root/scripts# scp count_path.sh padmin@vios01:/tmp | ||
+ | scp: Connection closed | ||
+ | [root@aix001]/root/scripts# scp -O count_path.sh padmin@vios01:/tmp | ||
+ | count_path.sh 100% 1972 1.9MB/s 00:00 | ||
+ | </cli> | ||
+ | |||
+ | **Note:** Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol. | ||
+ | |||
+ | ==== List ciphers and Macs on client ==== | ||
+ | |||
+ | |||
+ | * Ciphers: ssh -Q cipher | ||
+ | * MACs: ssh -Q mac | ||
+ | * KexAlgorithms: ssh -Q kex | ||
+ | * PubkeyAcceptedKeyTypes: ssh -Q key | ||
+ | |||
+ | You can also remotely probe a ssh server for its supported ciphers with recent nmap versions: | ||
+ | <cli prompt='#'> | ||
+ | # nmap --script ssh2-enum-algos -sV -p <port> <host> | ||
+ | </cli> | ||
+ | |||
+ | <cli prompt='#'> | ||
+ | [root@vios]/etc/ssh# ssh -Q cipher | ||
+ | 3des-cbc | ||
+ | aes128-cbc | ||
+ | aes192-cbc | ||
+ | aes256-cbc | ||
+ | aes128-ctr | ||
+ | aes192-ctr | ||
+ | aes256-ctr | ||
+ | aes128-gcm@openssh.com | ||
+ | aes256-gcm@openssh.com | ||
+ | chacha20-poly1305@openssh.com | ||
+ | |||
+ | [root@vios]/etc/ssh# ssh -Q mac | ||
+ | hmac-sha1 | ||
+ | hmac-sha1-96 | ||
+ | hmac-sha2-256 | ||
+ | hmac-sha2-512 | ||
+ | hmac-md5 | ||
+ | hmac-md5-96 | ||
+ | umac-64@openssh.com | ||
+ | umac-128@openssh.com | ||
+ | hmac-sha1-etm@openssh.com | ||
+ | hmac-sha1-96-etm@openssh.com | ||
+ | hmac-sha2-256-etm@openssh.com | ||
+ | hmac-sha2-512-etm@openssh.com | ||
+ | hmac-md5-etm@openssh.com | ||
+ | hmac-md5-96-etm@openssh.com | ||
+ | umac-64-etm@openssh.com | ||
+ | umac-128-etm@openssh.com | ||
+ | </cli> | ||
+ | |||
+ | ==== Connection slow ==== | ||
+ | |||
+ | Check using **ssh -vvv <hostname>**, if it hangs on | ||
+ | debug1: Next authentication method: gssapi-with-mic | ||
+ | |||
+ | Change the following parameter in the file **/etc/ssh/sshd_config** | ||
+ | GSSAPIAuthentication no | ||
+ | | ||
+ | FIXME On some new Linux versions, check also the files located in the folder **/etc/ssh/sshd_config.d/** | ||