SFTP 기존 키 교환 방법

tag-icon tag-icon ssh sftp
SFTP 기존 키 교환 방법

업그레이드 후 Debian 10 (Buster)SFTP 서버에 더 이상 연결할 수 없습니다.

일치하는 키 교환 방법을 찾을 수 없습니다. 해당 인용문: diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1 연결이 닫혔습니다.

sftp -b - -o StrictHostKeyChecking=no -i private.key -P 10022 user@host

sftp -vv ...반품

OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "host" port 10022
debug2: ssh_connect_direct
debug1: Connecting to host [92.60.159.16] port 10022.
debug1: Connection established.
debug1: identity file /var/www/bs_id_rsa type -1
debug1: identity file /var/www/bs_id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10
debug1: Remote protocol version 2.0, remote software version IBM Sterling Connect:Enterprise for UNIX2.5.00
debug1: no match: IBM Sterling Connect:Enterprise for UNIX2.5.00
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to host:10022 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: (no match)
Unable to negotiate with xx.xx.xx.xx port 10022: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Connection closed.
Connection closed

단추ssh -Q kex

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]

Kex알고리즘 사용:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -i private.key -p 10022 user@host
Unable to negotiate with 92.60.159.16 port 10022: no matching host key type found. Their offer: ssh-dss

호스트 키 알고리즘을 사용하십시오.

ssh -oHostKeyAlgorithms=ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 -i private.key -p 10022 user@host
Unable to negotiate with 92.60.159.16 port 10022: no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

SSH 작업

ssh -oHostKeyAlgorithms=ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=aes256-cbc -i private.key -p 10022 user@host

답변1

다음과 같이 호스트별 매개변수를 ~/.ssh/config파일에 추가합니다(아직 없으면 빈 파일로 시작).

Host host.somewhere.dk
  Hostname host.somewhere.dk
  KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
  IdentityFile ~/.ssh/private.key
  Ciphers aes256-cbc
  HostKeyAlgorithms ssh-dss
  Port 10022
  User user

또는 구성 파일을 사용하지 않으려면 명령줄에 호스트별 옵션을 작성하세요.

ssh -oHostKeyAlgorithms=ssh-dss -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 -oCiphers=aes256-cbc -i ~/ssh/private.key -p 10022 user@host

또한 두 경우 모두 1024보다 높은 포트 번호는 권한이 없는 사용자라면 누구나 이 높은 포트를 열 수 있으므로 시스템 서비스에 안전하지 않은 것으로 간주됩니다. 권한이 낮은 포트를 사용하는 것이 좋습니다.

관련 정보