![](/uploads/1/2/5/5/125502482/372066305.jpg)
Upgrade to the current version and try new modules for free for 30 days. At the end of the free trial, if you decide to activate the new modules, contact the Customer Service Team for a new license. Before upgrading, contact the Customer Service Team to obtain a new registration serial number or to determine your eligibility for an upgrade. It is extremely important that you follow the upgrade. I'm connected with Tectia Client (sshg3) to a remote host and I'm interested in finding out what encryption algorithm is being used for my connection. What's the easiest way to figure it out?
Active1 year, 4 months ago
How can I determine the supported MACs, Ciphers, Key length and KexAlogrithms supported by my ssh servers?
I need to create a list for an external security audit. I'm looking for something similar to and . I need to correct myself here: You can specify
openssl s_client -connect example.com:443 -showcerts
. From my research the ssh
uses the default ciphers as listed in man sshd_config
. However I need a solution I can use in a script man sshd_config
does not list information about key lengthServerKeyBits
in sshd_config
.I guess that
ssh -vv localhost &> ssh_connection_specs.out
returns the information I need but I'm not sure if the listed ciphers are the ciphers supported the client or by the server. Also I'm not sure how to run this non interactive in a script.Is there a convenient way to get
SSH
connection information?Henrik Pingel
Henrik PingelHenrik Pingel4,83822 gold badges1515 silver badges3232 bronze badges
2 Answers
You miss few points in your question:
- What is your openssh version? It can differ a bit over the versions.
ServerKeyBits
is option for protocol version 1, which you have hopefully disabled!
Supported Ciphers, MACs and KexAlgorithms are always available in manual and this doesn't have anything in common with key lengths.
Enabled Chiphers, MACs and KexAlgorithms are the ones that are offered using connection as you point out. But they can be gained also in other ways, for example using
sshd -T | grep '(ciphers|macs|kexalgorithms)'
To get the key length of your server key(s), you can use ssh-keygen:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
but you will probably want also the moduli sizes that are offered and used during the key exchange, but it really depends on the key exchange method, but it should be also readable from debug output
JakujeJakujessh -vvv host
.7,13422 gold badges2727 silver badges3636 bronze badges
How can I determine the supported MACs, Ciphers, Key length and KexAlogrithms supported by my ssh servers?
It looks like the answer on https://superuser.com/a/1219759/173408 is also an answer to your question. It fits in one line:
Here is the output on a plain Debian 9.4 machine with current SSH version:
Stéphane GourichonStéphane Gourichon
Not the answer you're looking for? Browse other questions tagged linuxsshaudit or ask your own question.
Active5 years ago
Looking at the man page for sshd_config I see the default list of algorithms for Ciphers, Key Exchange (KEX) and MACs.In my set up, I have selected a subset of these algorithms for use (i.e. I don't want to allow old or weak algorithms).What I want to know; which order are the algorithms negotiated?
![2017 2017](/uploads/1/2/5/5/125502482/645550722.png)
I know the client and the server have to agree on which algorithm to use. But does the list need to be ordered from most preferred -> least preferred? Or The other way around? The lists in the man page appear to be ordered first by algorithm group, with preferred groups first, but within each group, the algorithms seem to be ordered from least preferred to most.
Basically, my question boils down to, will the client and server negotiate the 'strongest' algorithm they both support (where 'strongest' is defined internally to OpenSSH), or will it pick the first/latest algorithm in both (server and client) supported algorithms lists?
How can I tell which algorithms are negotiated for a given connection? I have run ssh with -v -v -v and I see a lot of spew from kex_parse_kexinit. But I can't tell which algorithm is settled upon from that spew.
Thanks
AnroAnro
1 Answer
You can see more precise details of how the various algorithms are negotiated in RFC 4253, Section 7.1, but basically:
- The algorithms in
ssh_config
(or the user's~/.ssh/config
) and insshd_config
are ranked by preference, highest to lowest. - The server chooses the first algorithm on the client's list that it also supports. Hence, the choice is biased towards the client's preferences.
The Cipher and MAC algorithms do show up in verbose output, e.g.
Last I checked, OpenSSH does not say what exact Kex algorithm it chooses though. Maybe this will change in the future.
jjlinjjlin12.4k33 gold badges3939 silver badges4242 bronze badges
Not the answer you're looking for? Browse other questions tagged sshencryptionopenssh or ask your own question.
![](/uploads/1/2/5/5/125502482/372066305.jpg)