2

I am using ssh-keyscan to obtain public keys for a couple of SSH servers. One of my appliances only supports DSA / ssh-dss. ssh-keyscan with the "-t dsa" option is not able to get the public key while the Nmap script ssh-hostkey in fact is able to obtain it.

ssh-keyscan:

weberjoh@nb15-lx:~$ ssh-keyscan -t dsa ssg-mgmt
# ssg-mgmt:22 SSH-2.0-NetScreen

Nmap:

weberjoh@nb15-lx:~$ nmap --script ssh-hostkey ssg-mgmt

Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-11 16:00 CEST
Nmap scan report for ssg-mgmt (192.168.120.3)
Host is up (0.0026s latency).
rDNS record for 192.168.120.3: ssg-mgmt.webernetz.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
| ssh-hostkey:
|_  1024 e7:5b:c9:a9:60:60:66:37:d6:90:bd:70:8f:76:e5:41 (DSA)
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 7.28 seconds

How can I use ssh-keyscan to show the DSA public key?

Johannes Weber
  • 21
  • 2
  • "OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use." Source : https://www.openssh.com/legacy.html – bgtvfr Nov 13 '17 at 15:43
  • This regression of `ssh-keyscan` was mentioned on the openssh-unix-dev mailing list: [ssh-keyscan of an sshd with legacy kex alg only](https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-May/035108.html) – pabouk - Ukraine stay strong Oct 10 '21 at 19:29

2 Answers2

1

This might be due to new versions of OpenSSH not supporting DSA by default. On your client machine, try adding the following in your ~/.ssh/config:

PubkeyAcceptedKeyTypes=+ssh-dss

Also keep in mind that DSA keys might be less secure, so you should consider replacing them on your servers if possible.

Andrei Savin
  • 306
  • 2
  • 7
  • 1
    Did not change anything. Indeed without adding +ssh-dss to HostKeyAlgorithms I cannot ssh to the device anyway. But even with your option "ssh-keyscan -t dsa ssg-mgmt" is not working. I am using KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-dss PubkeyAcceptedKeyTypes +ssh-dss – Johannes Weber Oct 12 '17 at 08:02
1

Here's a workaround for ssh-keyscan not obeying ~/.ssh/config nor taking any options.

$ ssh -o UserKnownHostsFile=junk -o KexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
RSA key fingerprint is SHA256:iCnx+DQCcb4rAfNEE71mDiFc+ej9X+XBzBd/5/ueDtE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (RSA) to the list of known hosts.
root@router:~# ^D
Connection to 192.168.1.2 closed.
$ cut -d' ' -f2- < junk > junk2
$ ssh-keygen -r 192.168.1.2 -f junk2
192.168.1.2 IN SSHFP 1 1 28.....17
192.168.1.2 IN SSHFP 1 2 882....ed1
$ rm -f junk junk2

and

ssh -o UserKnownHostsFile=junk -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=ssh-dss 192.168.1.2

if you want to force DSA instead of RSA.

And for the lazy among us:

h=192.168.1.2; for t in ssh-rsa ssh-dss ssh-ed25519 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521; do ssh -o CheckHostIp=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=junk -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms="${t}" "${h}" true && cut -d' ' -f2- < junk > junk2 && ssh-keygen -r "${h}" -f junk2; rm -f junk junk2; done

which produces:

Warning: Permanently added '192.168.1.2' (RSA) to the list of known hosts.
192.168.1.2 IN SSHFP 1 1 28...17
192.168.1.2 IN SSHFP 1 2 882...ed1
Warning: Permanently added '192.168.1.2' (DSA) to the list of known hosts.
192.168.1.2 IN SSHFP 2 1 40..3c
192.168.1.2 IN SSHFP 2 2 26f...e6f
Unable to negotiate with 192.168.1.2 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
...
MaZe
  • 131
  • 2