在线等：RHEL下面运行ssh命令时，-c的参数读取的ssh_config里面那个参数？

lelo

我用rhel登录pix防火墙，pix那边是sshv1的，必须要加-c des参数才能成功登录。
请问ssh -c cipher_spec这个参数是否是读取的本地ssh_config文件里面的Cipher这个参数？如何保证本地客户端能够同时登录sshv1、sshv2的服务器？
谢谢！

chenyx

用户输入的参数应该会覆盖配置文件的那个参数

lelo

能否通过配置文件来设置用户通过ssh登录的Encryption type为des？正常的登录过程是这样的：
ssh -v -1 -c des pix@10.63.128.80
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.63.128.80 [10.63.128.80] port 22.
debug1: Connection established.
debug1: identity file /home/sunrc/.ssh/identity type -1
debug1: Remote protocol version 1.5, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Local version string SSH-1.5-OpenSSH_4.7p1 Debian-8ubuntu1.2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (2048 bits).
debug1: Host '10.63.128.80' is known and matches the RSA1 host key.
debug1: Found key in /home/sunrc/.ssh/known_hosts:1
debug1: Encryption type: des
debug1: Sent encrypted session key.
Warning: use of DES is strongly discouraged due to cryptographic weaknesses
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
pix@10.63.128.80's password:
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
debug1: fd 0 clearing O_NONBLOCK
Type help or '?' for a list of available commands.
CallCentre>
如果不加des参数，就会采用默认的3des算法，出现Selected cipher type <unknown> not supported by server.的错误：
ssh -v -l -c 10.63.128.80

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.63.128.80[10.63.128.80] port 22.
debug1: Connection established.
debug1: identity file /home/fimas/.ssh/identity type -1
debug1: identity file /home/fimas/.ssh/id_rsa type -1
debug1: identity file /home/fimas/.ssh/id_dsa type -1
debug1: loaded 3 keysdebug1: Remote protocol version 1.5, remote software version Cisco-1.25
debug1: no match: Cisco-1.25
debug1: Local version string SSH-1.5-OpenSSH_4.3
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host '10.238.248.134' is known and matches the RSA1 host key.
debug1: Found key in /home/fimas/.ssh/known_hosts:2
Selected cipher type <unknown> not supported by server.
[localhost ~]$

chenyx

用配置文件,楼主还不如做个alias呢,比如alias ssh3="ssh -v -1 -c des",以后用防火墙的时候,用ssh3吧

lelo

上述过程是写在程序里的，能通过配置文件解决最好，要不然就得惊动研发改程序了，研发只见过sshv2，没见过sshv1。呵呵！

chenyx

ssh obtains configuration data from the following sources in the following order:
           1.   command-line options
           2.   user’s configuration file (~/.ssh/config)
           3.   system-wide configuration file (/etc/ssh/ssh_config)

楼主man ssh_config,就可以看到完整的帮助了.
配置里面可以针对host进行配置的.

lelo

那个文件我做了配置，如下：
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
Host boss-rz-pix535-01
        Cipher des
Host *
        GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
        ForwardX11Trusted yes
# Send locale-related environment variables
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL


然后在hosts里面增加了10.63.128.80    boss-rz-pix535-01，
结果还是不行。
运行ssh -v -1 -c des 10.63.128.80都不能登录了，报告：
ssh:des:Temporary failure in name resolution

chenyx

你把机器名换成ip,Cipher des前面加Protocol 1
测试下

lelo

谢谢版主！明天试一下！

lelo

已经解决，按照版主的建议：
Host {IP_Address}
        Protocol 1
        Cipher des
多谢！