0

I am trying to better understand how ssh does host authentication. I am ssh'ing from a macbook pro (OSX 10.14.6) to several CentOS 8.1 servers. There are several files on the remote CentOS servers in /etc/ssh/ that are used for the host-based authentication (e.g. ssh_host_ed25519_key.pub, ssh_host_dsa_key.pub, ssh_host_rsa_key.pub).

If I look at my macbook's local ~/.ssh/known_hosts, I see entries that use ssh-rsa which corresponds to /etc/ssh/ssh_host_rsa_key.pub. I also see entries for ecdsa-sha2-nistp256 which correspond to /etc/ssh/ssh_host_ecdsa_key.pub.

Question :

  1. When I ssh into my remote server, is there a way for me to force ssh to use a particular algorithm for the host authentication or is this something that I'll have to change by hand in known_hosts? E.g. force it to use ssh_host_ecdsa_key.pub instead of ssh_host_rsa_key.pub.

  2. How does ssh by default decide which algorithm to use for host authentication?

irritable_phd_syndrome
  • 4,631
  • 3
  • 32
  • 60

1 Answers1

0

You can use the -o flag to specify options for SSH. One of these options is HostKeyAlgorithms which will control which algorithms your client offers, see: https://man.openbsd.org/ssh.

If you run ssh with the -vv flag you can see the offer that is made by your client. Then the server chooses the first algorithm used by the client that it supports. I would guess that the different support different algorithms.

Dongo
  • 1