linux redhat 7 sshd 指定sha256密钥算法hmac-sha2-256

Redhat 7 OpenSSH安全加固方案
最新推荐文章于 2025-10-04 16:27:45 发布
原创 最新推荐文章于 2025-10-04 16:27:45 发布 · 5.4k 阅读 · 2 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

redhat 7 的openssh 默认sshd是可以用sha1算法的,处于安全考虑,升级到sha256算法。本文介绍安全加固的方案。

redhat 6对应的openssh版本太低,不支持sha256。

 

GBase 8a新版本已经支持这个安全加固项:https://www.gbase8.cn/2591

 

修改配置文件

/etc/ssh/sshd_config

增加如下参数

MACs hmac-sha2-256,hmac-sha2-256-etm@openssh.com

效果如下

已知的参数列表如下

hmac-sha1
hmac-sha1-96
hmac-md5
hmac-md5-96
hmac-sha2-256
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-md5-etm@openshh.com
hmac-md5-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha-512-etm@openssh.com

重启服务

[root@gbase_rh7_001 gbase]# systemctl restart sshd.service
SSH客户端不支持SHA256等加密算法:原因与解决方案,2024年最新成体系化的神级Linux运维进阶笔记,
m0_62673499的博客
04-15 798
最近很多小伙伴找我要Linux学习资料,于是我翻箱倒柜,整理了一些优质资源,涵盖视频、电子书、PPT等共享给大家!
Linux应用-加密和安全
qq_41596208的博客
02-22 2318
Linux应用-加密和安全加密和安全一、grep1. grep概念 加密和安全 一、grep 1. grep概念
centos---ssh安全脚本配置
rojanzhang的专栏
01-02 1176
1 检测规则 规则:需限制/etc/ssh/sshd_config的访问权限   威胁等级 High   规则描述 /etc/ssh/sshd_config文件包含sshd的配置内容。   审计描述 运行以下命令并验证Uid和Gid都是0/root,Access不向组或其他组授予权限: #stat /etc/s...
HAMAC算法2
west_cloth的博客
12-19 931
散列消息认证码)是一种使用密码散列函数,同时结合一个加密密钥,通过特别计算方式之后产生的消息认证码(MAC)。它可以用来保证数据的完整性,同时可以用来作某个消息的身份验证。HMAC算法 是一种基于密钥的报文完整性的验证方法。HMAC算法利用哈希运算,以一个密钥和一个消息为输入,生成一个消息摘要作为输出。其安全性是建立在Hash加密算法基础上的。它要求通信双方共享密钥、约定算法、对报文进行Hash运算,形成固定长度的认证码。通信双方通过认证码的校验来确定报文的合法性。
SecureCRT远程连接工具全面使用指南与实战配置
最新发布
weixin_42579969的博客
10-04 1079
SecureCRT是一款由VanDyke Software开发的专业级终端仿真工具,广泛应用于IT运维、系统管理及网络设备调试等场景。其核心功能涵盖SSH、Telnet、Serial等多种协议支持,可在Windows、macOS和Linux平台安全连接UNIX、Linux、VMS服务器及路由器、交换机等网络设备。在完成安全通道建立后,SSH进入用户认证阶段。SecureCRT支持三种主流认证方式:认证方式安全等级是否支持免密登录适用场景密码认证中等否。
SSH 基础用法
m0_64483960的博客
04-11 2万+
SSH 基础用法
HMAC-SHA256
热门推荐
叫好与叫座虽然不是对立面,但想在同一个作品中达到双重效果很难。
09-28 3万+
散列函数它被认为是一种单向函数——根据函数输出的结果,极难回推输入的数据。散列函数把消息数据打乱混合,压缩成散列值(摘要),使得数据量变小。SHA-256由美国国家安全局研发,是SHA-2下细分出的一种算法,属于SHA算法之一,是SHA-1的后继者。SHA-256(Secure Hash Algorithm 256,安全散列算法256)是散列函数(或哈希函数)的一种,对于任意长度的消息,SHA256都会产生一个256-bit(32-byte数组)的哈希值,称作消息摘要。
SHA-256HMAC-SHA256加密算法工具类
一颗小松丸的博客
05-31 3430
SHA-256HMAC-SHA256加密算法工具类
github ssh key的SHA256是什么
西京刀客
06-13 729
怎么知道github上自己的公钥指纹和本地的公钥是否一致?
scp -vvv -o PreferredAuthentications=publickey -oHostKeyAlgorithms=+ssh-rsa -oHostKeyAlgorithms=ssh-rsa -i /home/rataneodsftp/.ssh/id_rsa test.csv cciladmin@172.26.26.237:C:\\MXCCILFRSGIFTCITY\\unsent Executing: program /usr/bin/ssh host 172.26.26.237, user cciladmin, command scp -v -t C:\MXCCILFRSGIFTCITY\unsent OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host 172.26.26.237 originally 172.26.26.237 debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug1: configuration requests final Match pass debug2: resolve_canonicalize: hostname 172.26.26.237 is address debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf debug2: checking match for 'final all' host 172.26.26.237 originally 172.26.26.237 debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug2: ssh_connect_direct debug1: Connecting to 172.26.26.237 [172.26.26.237] port 22. debug1: Connection established. debug1: identity file /home/rataneodsftp/.ssh/id_rsa type 0 debug1: identity file /home/rataneodsftp/.ssh/id_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.0 debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_9.5 debug1: match: OpenSSH_for_Windows_9.5 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 172.26.26.237:22 as 'cciladmin' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c,kex-strict-c-v00@openssh.com debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,kex-strict-s-v00@openssh.com debug2: host key algorithms: ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: will use strict KEX ordering debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ssh-ed25519 SHA256:9lZLI0U3Z1VQ1c27zyZuhyjIIsvYtYf0R8UvBPCqNQ0 debug3: hostkeys_foreach: reading file "/home/rataneodsftp/.ssh/known_hosts" debug3: record_hostkey: found key type ED25519 in file /home/rataneodsftp/.ssh/known_hosts:36 debug3: load_hostkeys: loaded 1 keys from 172.26.26.237 debug1: Host '172.26.26.237' is known and matches the ED25519 host key. debug1: Found key in /home/rataneodsftp/.ssh/known_hosts:36 debug3: send packet: type 21 debug1: resetting send seqnr 3 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: resetting read seqnr 3 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/rataneodsftp/.ssh/id_rsa RSA SHA256:CHalTQ+japBghp74FxdPQGg1dqm1M8WQXBTbqGXl6i8 explicit debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512> debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised) debug1: kex_input_ext_info: ping@openssh.com (unrecognised) debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner ######################################################################### # This computer system, its network and data contained therein # # is the property of the Standard Chartered Group. Access to # # this computer and network is restricted to persons and programs # # authorised by the Group only. # # # # Access by others is prohibited and unauthorised, and is wrongful # # under law. Do not proceed if you are not authorised. Any # # unauthorised access will be prosecuted to the fullest extent of # # the law. # ######################################################################### debug3: receive packet: type 51 debug1: Authentications that can continue: password debug3: start over, passed a different list password debug3: preferred publickey debug1: No more authentication methods to try. cciladmin@172.26.26.237: Permission denied (password). lost connection
06-11
我们面临的核心问题是SCP连接尝试失败,从调试日志看已经出现了两个关键点:服务器主机密钥算法不匹配(客户端启用ssh-rsa但服务器仅支持ssh-ed25519),以及公钥认证未被服务器接受(服务器只提供密码认证)。...
以上问题在redhat enterprise linux8.6版本中的openssh的配置中是否存在
03-18
MACs hmac-sha2-256 ``` - 限制登录权限: ```plaintext PermitRootLogin no PasswordAuthentication no ``` 3. **服务管理与验证** - 升级后重启服务: ```bash systemctl restart sshd systemctl ...
嵌入式linux开发,HmacSHA256下载与使用
寞水
09-30 924
寞水
Linux系统下更改或更新SSH密钥密码的方法
qq_40907977的博客
11-11 1万+
本文介绍如何在Linux系统下更新或更改SSH密钥密码,也适用在Unix系统中。SSH密钥通常用于向某些信息系统的用户进行身份验证,SSH密钥本身是私钥,使用从密码短语导出的对称加密密钥进一步加密私钥,设置方法请参考怎么设置SSH密钥一文。 什么是SSH密钥密码 密码短语类似于密码,用于保护你的SSH私钥免受未经授权的访问和使用,始终建议为SSH密钥设置一个强密码,至少15个,最好是20个字符,使...
密码学学习笔记(二十一):SHA-256HMAC、NMAC、KMAC
weixin_54634208的博客
08-22 2258
SHA-256与NMAC/HMAC/KMAC
SSH客户端不支持SHA256等加密算法:原因与解决方案
十年运维开发经验的王义杰在此分享自己的知识和经验
09-12 2801
SSH加密算法的选择是多种多样的,但当我们遇到客户端不支持某种算法的问题时,通常通过更新SSH客户端、安装必要的依赖或者手动配置算法选项来解决。希望这篇文章能帮你解决SSH客户端不支持SHA256或其他算法的问题。如果有其他疑问或者需要进一步的解释,请随时提问。我也建议大家始终保持SSH客户端和服务器的版本是最新的,以获得最佳的安全性和性能。
SHA-256HMAC-SHA-256 的区别
qq_30531921的博客
04-08 1245
SHA-256HMAC-SHA-256 是两种基于哈希算法的加密技术,但它们的设计目的和应用场景不同。
SSH客户端不支持SHA256等加密算法:原因与解决方案(1),2024年最新相关资料参考
2401_83947105的博客
04-13 922
最近很多小伙伴找我要Linux学习资料,于是我翻箱倒柜,整理了一些优质资源,涵盖视频、电子书、PPT等共享给大家!
RedHat8 SSH应用
杨仕虎的博客
07-01 1332
远程协议 telnet,默认端口23,传输无加密 通常被当成检测TCP端口存活使用,生产环境不建议使用 ssh,默认端口22,传输基于加密 默认使用远程方式 SSH SSH(Secure Shell)安全shell缩写,可以基于RSA非对称加密和HA密钥交换算法实现加密传输。 有两个不兼容的版本分别是:1.x和2.x SSH1采用对称加密算法保护数据安全传输(最终2边秘钥相同),而对称加密算法密钥是通过非对称加密算法(RSA,2边不同,需要通过秘钥进行解密,防止秘钥被窃听)来完成交换的。
SSH客户端不支持SHA256等加密算法:原因与解决方案,字节跳动Linux运维开发面试题
2401_83947105的博客
04-13 553
外链图片转存中…(img-rF09TuRF-1713023849115)]
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值