aix:aix_ssh_howto
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
aix:aix_ssh_howto [2024/08/12 14:06] manu [SCP Connection closed] |
aix:aix_ssh_howto [2025/10/07 12:19] (current) manu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Howto use SSH ====== | ====== Howto use SSH ====== | ||
| + | |||
| + | Secure File Transfer Protocol (sftp) has been added, and the native “scp” has been deprecated – scp is stil supported, but under the covers will use sftp. Same usage as always, but can now be used in interactive mode, for example : | ||
| + | sftp -P22 adminuser@system | ||
| + | | ||
| + | Work arround for scp: **scp -O** user@host... | ||
| ===== Client SSH ===== | ===== Client SSH ===== | ||
| Line 294: | Line 299: | ||
| </cli> | </cli> | ||
| + | ==== Add timeout ==== | ||
| + | |||
| + | If an host doesn't answer, the timeout will stop the connexion | ||
| + | <cli prompt='#'> | ||
| + | # ssh -o ConnectTimeout=10 $i uname | ||
| + | </cli> | ||
| ==== Boost ssh connection ==== | ==== Boost ssh connection ==== | ||
| Line 309: | Line 320: | ||
| sys 0m0.00s | sys 0m0.00s | ||
| </cli> | </cli> | ||
| + | |||
| + | |||
| + | ==== Bad cipher or MAC ==== | ||
| + | |||
| + | I can specify the cipher and the MAC: | ||
| + | ssh <user@ip> -c aes256-cbc -m hmac-sha1 | ||
| + | |||
| ==== no matching host key type found ==== | ==== no matching host key type found ==== | ||
| Line 388: | Line 406: | ||
| **Note:** Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol. | **Note:** Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol. | ||
| + | |||
| + | ==== List ciphers and Macs on client ==== | ||
| + | |||
| + | |||
| + | * Ciphers: ssh -Q cipher | ||
| + | * MACs: ssh -Q mac | ||
| + | * KexAlgorithms: ssh -Q kex | ||
| + | * PubkeyAcceptedKeyTypes: ssh -Q key | ||
| + | |||
| + | You can also remotely probe a ssh server for its supported ciphers with recent nmap versions: | ||
| + | <cli prompt='#'> | ||
| + | # nmap --script ssh2-enum-algos -sV -p <port> <host> | ||
| + | </cli> | ||
| + | |||
| + | <cli prompt='#'> | ||
| + | [root@vios]/etc/ssh# ssh -Q cipher | ||
| + | 3des-cbc | ||
| + | aes128-cbc | ||
| + | aes192-cbc | ||
| + | aes256-cbc | ||
| + | aes128-ctr | ||
| + | aes192-ctr | ||
| + | aes256-ctr | ||
| + | aes128-gcm@openssh.com | ||
| + | aes256-gcm@openssh.com | ||
| + | chacha20-poly1305@openssh.com | ||
| + | |||
| + | [root@vios]/etc/ssh# ssh -Q mac | ||
| + | hmac-sha1 | ||
| + | hmac-sha1-96 | ||
| + | hmac-sha2-256 | ||
| + | hmac-sha2-512 | ||
| + | hmac-md5 | ||
| + | hmac-md5-96 | ||
| + | umac-64@openssh.com | ||
| + | umac-128@openssh.com | ||
| + | hmac-sha1-etm@openssh.com | ||
| + | hmac-sha1-96-etm@openssh.com | ||
| + | hmac-sha2-256-etm@openssh.com | ||
| + | hmac-sha2-512-etm@openssh.com | ||
| + | hmac-md5-etm@openssh.com | ||
| + | hmac-md5-96-etm@openssh.com | ||
| + | umac-64-etm@openssh.com | ||
| + | umac-128-etm@openssh.com | ||
| + | </cli> | ||
| + | |||
| + | ==== Connection slow ==== | ||
| + | |||
| + | Check using **ssh -vvv <hostname>**, if it hangs on | ||
| + | debug1: Next authentication method: gssapi-with-mic | ||
| + | |||
| + | Change the following parameter in the file **/etc/ssh/sshd_config** | ||
| + | GSSAPIAuthentication no | ||
| + | | ||
| + | FIXME On some new Linux versions, check also the files located in the folder **/etc/ssh/sshd_config.d/** | ||
| + | |||
aix/aix_ssh_howto.1723464409.txt.gz · Last modified: 2024/08/12 14:06 by manu
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
