So ssh has the option HostKeyAlgorithms. Sample usage:
ssh -o "HostKeyAlgorithms ssh-rsa" user@hostname
I'm trying to get the client to connect using the servers ecdsa key, but I can't find what the correct string is for that.
What command can I use to get a list of the available HostKeyAlgorithms?
ssh -Q key
Unless you have an ancient version of OpenSSH, in which case uhhhh source dive, or run ssh -v -v -v ... and see if what you want appears there.
ssh -Q (query) was introduced in OpenSSH 6.3, released on 2013-09-13. Release notes: openssh.com/txt/release-6.3
from the ssh_config manual page:
HostKeyAlgorithms
Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The default for this option is:
[email protected],
[email protected],
[email protected],
[email protected],[email protected],
[email protected],[email protected],
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
ssh-rsa,ssh-dss
If hostkeys are known for the destination host then this default is modified to prefer their algorithms.
Seems no-one read the documentation regarding the -Q flag for ssh properly.
man ssh says:
-Q query_option
Queries ssh for the algorithms supported for the specified version 2. The available features are:
cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenti‐
cated encryption), help (supported query terms for use with the -Q flag), mac (supported message integ‐
rity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algorithms), key (key types),
key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and sig‐
nature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature al‐
gorithms). Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list
may be used as an alias for the corresponding query_option.
Here is how to use ssh -Q to dump all available information about the installed version of ssh:
for F in $(ssh -Q help); do
printf "=== $F ===\n"
ssh -Q $F
echo ""
done
Output for me was:
=== cipher ===
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]
=== cipher-auth ===
[email protected]
[email protected]
[email protected]
=== mac ===
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
=== kex ===
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]
=== kex-gss ===
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
gss-group14-sha256-
gss-group16-sha512-
gss-nistp256-sha256-
gss-curve25519-sha256-
=== key ===
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
=== key-cert ===
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
=== key-plain ===
ssh-ed25519
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
=== key-sig ===
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
=== protocol-version ===
2
=== sig ===
ssh-ed25519
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
It might be helpful when debugging to query the configuration that ssh is actually using when attempting to connect to a host by using the -G option. This will list all the configuration options, including the chosen values for the cipher, mac, hostKeyAlgorithm and KexAlgorithm parameters.
ssh -G [email protected]
Here is typical output:
user ubuntu
hostname 35.171.333.444
port 22
addkeystoagent false
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
challengeresponseauthentication yes
checkhostip yes
compression yes
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 yes
forwardx11trusted yes
gatewayports no
gssapiauthentication yes
gssapikeyexchange no
gssapidelegatecredentials no
gssapitrustdns no
gssapirenewalforcesrekey no
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
hashknownhosts yes
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication yes
requesttty auto
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys false
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
ignoreunknown Password
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
securitykeyprovider internal
pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/rsa-2020-11-03
canonicaldomains
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
sendenv LANG
sendenv LC_*
forwardagent yes
connecttimeout none
tunneldevice any:any
controlpersist no
escapechar ~
ipqos lowdelay throughput
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER
Since this question is the #1 answer when searching for 'list ssh "key exchange algorithms"', I'll offer that answer as well:
To list client ssh key exchange algorithms:
ssh -Q kex
To list server ssh key exchange algorithms:
sudo sshd -T | grep kex
