So ssh has the option HostKeyAlgorithms. Sample usage:
ssh -o "HostKeyAlgorithms ssh-rsa" user@hostname I'm trying to get the client to connect using the servers ecdsa key, but I can't find what the correct string is for that.
What command can I use to get a list of the available HostKeyAlgorithms?
ssh -Q key Unless you have an ancient version of OpenSSH, in which case uhhhh source dive, or run ssh -v -v -v ... and see if what you want appears there.
ssh -Q (query) was introduced in OpenSSH 6.3, released on 2013-09-13. Release notes: openssh.com/txt/release-6.3 from the ssh_config manual page:
HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The default for this option is: [email protected], [email protected], [email protected], [email protected],[email protected], [email protected],[email protected], ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, ssh-rsa,ssh-dss If hostkeys are known for the destination host then this default is modified to prefer their algorithms. Seems no-one read the documentation regarding the -Q flag for ssh properly.
man ssh says:
-Q query_option Queries ssh for the algorithms supported for the specified version 2. The available features are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenti‐ cated encryption), help (supported query terms for use with the -Q flag), mac (supported message integ‐ rity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algorithms), key (key types), key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and sig‐ nature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature al‐ gorithms). Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list may be used as an alias for the corresponding query_option. Here is how to use ssh -Q to dump all available information about the installed version of ssh:
for F in $(ssh -Q help); do printf "=== $F ===\n" ssh -Q $F echo "" done Output for me was:
=== cipher === 3des-cbc aes128-cbc aes192-cbc aes256-cbc [email protected] aes128-ctr aes192-ctr aes256-ctr [email protected] [email protected] [email protected] === cipher-auth === [email protected] [email protected] [email protected] === mac === hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] === kex === diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 [email protected] [email protected] === kex-gss === gss-gex-sha1- gss-group1-sha1- gss-group14-sha1- gss-group14-sha256- gss-group16-sha512- gss-nistp256-sha256- gss-curve25519-sha256- === key === ssh-ed25519 [email protected] [email protected] [email protected] ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] === key-cert === [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] === key-plain === ssh-ed25519 [email protected] ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 [email protected] === key-sig === ssh-ed25519 [email protected] [email protected] [email protected] ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] === protocol-version === 2 === sig === ssh-ed25519 [email protected] ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 [email protected] It might be helpful when debugging to query the configuration that ssh is actually using when attempting to connect to a host by using the -G option. This will list all the configuration options, including the chosen values for the cipher, mac, hostKeyAlgorithm and KexAlgorithm parameters.
ssh -G [email protected] Here is typical output:
user ubuntu hostname 35.171.333.444 port 22 addkeystoagent false addressfamily any batchmode no canonicalizefallbacklocal yes canonicalizehostname false challengeresponseauthentication yes checkhostip yes compression yes controlmaster false enablesshkeysign no clearallforwardings no exitonforwardfailure no fingerprinthash SHA256 forwardx11 yes forwardx11trusted yes gatewayports no gssapiauthentication yes gssapikeyexchange no gssapidelegatecredentials no gssapitrustdns no gssapirenewalforcesrekey no gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- hashknownhosts yes hostbasedauthentication no identitiesonly no kbdinteractiveauthentication yes nohostauthenticationforlocalhost no passwordauthentication yes permitlocalcommand no proxyusefdpass no pubkeyauthentication yes requesttty auto streamlocalbindunlink no stricthostkeychecking ask tcpkeepalive yes tunnel false verifyhostkeydns false visualhostkey no updatehostkeys false canonicalizemaxdots 1 connectionattempts 1 forwardx11timeout 1200 numberofpasswordprompts 3 serveralivecountmax 3 serveraliveinterval 0 ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa ignoreunknown Password kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256 loglevel INFO macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 securitykeyprovider internal pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa xauthlocation /usr/bin/xauth identityfile ~/.ssh/rsa-2020-11-03 canonicaldomains globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2 sendenv LANG sendenv LC_* forwardagent yes connecttimeout none tunneldevice any:any controlpersist no escapechar ~ ipqos lowdelay throughput rekeylimit 0 0 streamlocalbindmask 0177 syslogfacility USER Since this question is the #1 answer when searching for 'list ssh "key exchange algorithms"', I'll offer that answer as well:
To list client ssh key exchange algorithms: ssh -Q kex
To list server ssh key exchange algorithms: sudo sshd -T | grep kex
