최신 OpenSSH_8.8p1버전이 설치된 ESXi서버와 오래된 OpenSSH버전이 설치된 ESXi서버 사이에서 서로 다은 버전의 ssh클라이언트를 이용하여 상대 버전의 sshd서비스에 접속하려고 할 때 다음과 같은 2종류의 오류가 발생함을 확인 할 수 있습니다. 이 글에서는 이 오류를 회피하는 방법을 소개합니다.
오래된 버전의 ssh클라이언트에서 최신 버전의 sshd서비스에 접속
no matching mac found: client hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-256,hmac-sha2-512
최신 버전의 ssh클라이언트에서 오래된 버전의 sshd서비스에 접속
Unable to negotiate with 192.168.1.10 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
오류 발생 ESXi 서버 정보
ESXi 5.5.0 서버
# uname -a
VMkernel vmware-old 5.5.0 #1 SMP Release build-2403361 Jan 1 2015 00:02:53 x86_64 GNU/Linux
# ssh -V
OpenSSH_5.6p1, OpenSSL 1.0.1j 15 Oct 2014
ESXi 7.0.3 서버
# uname -a
VMkernel vmware-new 7.0.3 #1 SMP Release build-20328353 Aug 22 2022 19:41:06 x86_64 x86_64 x86_64 ESXi
# ssh -V
OpenSSH_8.8p1, OpenSSL 1.0.2ze-fips 3 May 2022
오래된 버전 -> 최신 버전 접속
ESXi 5.5.0 서버(vmware-old)에 PuTTY를 이용 로그인하여 OpenSSH_5.6p1버전 ssh클라이언트 명령으로 다음과 같이 ESXi 7.0.3 서버(vmware-new)에 실행중인 OpenSSH_8.8p1버전 sshd서비스에 접속하려고 하면 다음과 같이 오류가 발생 함을 확인할 수 있습니다.
# ssh vmware-new
no matching mac found: client hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-256,hmac-sha2-512
또한 다음과 같이 ssh명령에 옵션 -vvv를 지정하면 debug정보를 출력하여 처리 과정을 분석할 수 있습니다.
# ssh -vvv vmware-newhost
OpenSSH_5.6p1, OpenSSL 1.0.1j 15 Oct 2014
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.10 [192.168.1.10] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: match: OpenSSH_8.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: kex_parse_kexinit: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
no matching mac found: client hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-256,hmac-sha2-512
최신 버전 -> 오래된 버전 접속
ESXi 7.0.3 서버(vmware-new)에 PuTTY를 이용 로그인하여 OpenSSH_8.8p1버전 ssh클라이언트 명령으로 다음과 같이 ESXi 5.5.0 서버(vmware-old)에서 실행중인 OpenSSH_5.6p1버전 sshd서비스에 접속하려고 하면 다음과 같이 오류가 발생 함을 확인할 수 있습니다.
# ssh vmware-oldhost
Unable to negotiate with 192.168.1.10 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
또한 다음과 같이 ssh명령에 옵션 -vvv를 지정하면 debug정보를 출력하여 처리 과정을 분석할 수 있습니다.
# ssh -vvv vmware-oldhost
OpenSSH_8.8p1, OpenSSL 1.0.2ze-fips 3 May 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 192.168.1.9 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.1.9 [192.168.1.9] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: identity file /.ssh/id_ecdsa_sk type -1
debug1: identity file /.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /.ssh/id_ed25519 type -1
debug1: identity file /.ssh/id_ed25519-cert type -1
debug1: identity file /.ssh/id_ed25519_sk type -1
debug1: identity file /.ssh/id_ed25519_sk-cert type -1
debug1: identity file /.ssh/id_xmss type -1
debug1: identity file /.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: compat_banner: match: OpenSSH_5.6 pat OpenSSH_5* compat 0x0c000002
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.9:22 as 'root'
debug1: load_hostkeys: fopen /.ssh/known_hosts: No such file or directory
debug1: load_hostkeys: fopen /.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
debug2: MACs ctos: hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha1,hmac-sha1-96
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: (no match)
Unable to negotiate with 192.168.1.9 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
그외 서버의 ssh버전 별 접속 확인
다음과 같은 OpenSSH버전이 기본으로 설치되어 있는 서로 다른OS에서 ssh클리이언트에서 sshd서비스접속을 확인하면 다음과 같습니다.
No | ssh -V |
---|---|
1 | OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 |
2 | OpenSSH_5.6p1, OpenSSL 1.0.1j 15 Oct 2014 |
3 | OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 |
4 | OpenSSH_8.0p1, OpenSSL 1.1.1g FIPS 21 Apr 2020 |
5 | OpenSSH_8.1p1, OpenSSL 1.0.2zf-fips 21 Jun 2022 |
6 | OpenSSH_8.8p1, OpenSSL 1.0.2ze-fips 3 May 2022 |
이 글에서 확인 한 위 버전 별 ssh클리이언트에서 sshd서비스접속 OK/NG판정은 다음과 같습니다.
접속패턴 | No.1 | No.2 | No.3 | No.4 | No.5 | No.6 |
---|---|---|---|---|---|---|
No.1 | – | OK | OK | OK | OK | NG |
No.2 | OK | – | OK | OK | OK | NG |
No.3 | OK | OK | – | OK | OK | NG |
No.4 | OK | OK | OK | – | OK | NG |
No.5 | OK | OK | OK | OK | – | OK |
No.6 | NG | NG | NG | NG | OK | – |
댓글