View Kexalgorithms - this action is to confirm the kexalgorithms supported by the client
[ root @ localhost ~ ] # ssh - Q kex
View Kexalgorithms - this action is to confirm the kexalgorithms supported by the client
[root@localhost ~]# sshd -T | grep -w kexalgorithms
Repair method
By modifying the sshd_config configuration file, the unsafe KexAlgorithjms is blocked, and the specific sshd_config configuration parameters can be viewed from the man document
View the algorithm list and parameter usage supported by the current openssh version through the man document.
[root@localhost ~]# man sshd_config |grep -A 40 -w KexAlgorithms
Before the diffie-hellman algorithm is disabled, you can use the normal ssh connection to log in
[root@localhost ~]# ssh -v -oKexAlgorithms=diffie-hellman-group1-sha1 [email protected]
Use the missed scan to scan out the vulnerability
Disable the diffie-hellman algorithm
[root@localhost ~]# echo "KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config
[root@localhost ~]# systemctl restart sshd
[root@localhost ~]# sshd -T | grep -w kexalgorithms
After using the disabled diffie-hellman algorithm again, log in with the disabled key algorithm, and it shows that you cannot use ssh to log in normally
[root@localhost ~]# ssh -v -oKexAlgorithms=diffie-hellman-group1-sha1 [email protected]
使用奇安信漏扫,已无法扫出,漏洞修复
不加任何加密算法,正常使用ssh也可以登录