如何列出 SSH 客户端可用的主机密钥算法？

ssh -Q key

除非你有一个古老版本的 OpenSSH，在这种情况下，呃源潜水，或者运行ssh -v -v -v ...并看看你想要的东西是否出现在那里。

来自ssh_config manual页：

HostKeyAlgorithms
             Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference.  The default for this option is:

                [email protected],
                [email protected],
                [email protected],
                [email protected],[email protected],
                [email protected],[email protected],
                ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
                ssh-rsa,ssh-dss

             If hostkeys are known for the destination host then this default is modified to prefer their algorithms.

-Q似乎没有人正确阅读有关该标志的文档ssh。

man ssh说：

-Q query_option
             Queries ssh for the algorithms supported for the specified version 2.  The available features are:
             cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenti‐
             cated encryption), help (supported query terms for use with the -Q flag), mac (supported message integ‐
             rity codes), kex (key exchange algorithms), kex-gss (GSSAPI key exchange algorithms), key (key types),
             key-cert (certificate key types), key-plain (non-certificate key types), key-sig (all key types and sig‐
             nature algorithms), protocol-version (supported SSH protocol versions), and sig (supported signature al‐
             gorithms).  Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list
             may be used as an alias for the corresponding query_option.

以下是如何使用ssh -Q转储有关已安装的 ssh 版本的所有可用信息：

for F in $(ssh -Q help); do 
  printf "=== $F ===\n"
  ssh -Q $F
  echo ""
done

我的输出是：

=== cipher ===
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]
[email protected]
[email protected]

=== cipher-auth ===
[email protected]
[email protected]
[email protected]

=== mac ===
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== kex ===
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
[email protected]
[email protected]

=== kex-gss ===
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
gss-group14-sha256-
gss-group16-sha512-
gss-nistp256-sha256-
gss-curve25519-sha256-

=== key ===
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== key-cert ===
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== key-plain ===
ssh-ed25519
[email protected]
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]

=== key-sig ===
ssh-ed25519
[email protected]
[email protected]
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

=== protocol-version ===
2

=== sig ===
ssh-ed25519
[email protected]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
[email protected]

ssh在调试时查询尝试使用该选项连接到主机时实际使用的配置可能会有所帮助-G。这将列出所有配置选项，包括为cipher、mac和hostKeyAlgorithm参数选择的值KexAlgorithm。

ssh -G [email protected]

这是典型的输出：

user ubuntu
hostname 35.171.333.444
port 22
addkeystoagent false
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
challengeresponseauthentication yes
checkhostip yes
compression yes
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 yes
forwardx11trusted yes
gatewayports no
gssapiauthentication yes
gssapikeyexchange no
gssapidelegatecredentials no
gssapitrustdns no
gssapirenewalforcesrekey no
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
hashknownhosts yes
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication yes
requesttty auto
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys false
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
ignoreunknown Password
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
securitykeyprovider internal
pubkeyacceptedkeytypes [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/rsa-2020-11-03
canonicaldomains
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2
sendenv LANG
sendenv LC_*
forwardagent yes
connecttimeout none
tunneldevice any:any
controlpersist no
escapechar ~
ipqos lowdelay throughput
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER

由于这个问题是搜索“list ssh“密钥交换算法””时的第一个答案，因此我也将提供该答案：

列出客户端 ssh 密钥交换算法： ssh -Q kex

列出服务器 ssh 密钥交换算法： sudo sshd -T | grep kex