Hey SSH-knowers, is there a way for me to set ssh_config options based on the version of the remote sshd? My use-case is, I have a bunch of ancient Solaris 10 hosts with a known version string containing Sun_SSH, which need correspondingly ancient KexAlgorithms, MACs, HostKeyAlgorithms, and PubkeyAcceptedKeyTypes set. Client is OpenSSH 9.5.
Discussion
Loading...
@jpm I dunno if there's a smarter way but you can use match exec, so presumably you could have netcat/socat make a connection, pick up the banner, and return immediately, piped into a grep for those versions (alternatively write a small binary to do the covering and return a 0 if it's old or 1 if not).
Note that it's a bit of a disaster for security doing any of this though, depending on your threat model - anyone who could MitM the connection could trick your current into downgrading.
@fwaggle yes I do understand the security implications of doing this (it’s why I didn’t post the actual version string)
@jpm This would also be fairly noisy, resulting in one or more "connection dropped before auth" your messages in the ssh log of every server you connected to. Not sure if that would be more annoying than manually adding blocks for each host. 😅
bonfire.cafe
A space for Bonfire maintainers and contributors to communicate
Automatic federation enabled