ssh链接报错Server responded “Algorithm negotiation failed”,修改sshd_config后,重启ssh服务失败

概述

使用SSH客户端链接Ubuntu或CentOS服务器时报错Server responded “Algorithm negotiation failed”,按照网上提供的方法修改sshd_config后重启ssh服务失败。这是由于修改时添加的加密算法和服务器支持的不匹配导致。将增加的加密算法修改为服务器支持的即可,再次链接问题解决。

问题描述

使用ssh客户端链接时报错Server responded “Algorithm negotiation failed”(见下图)

ssh connect failed

在网上搜索到的解决方法几乎都是在sshd_config文件中添加以下内容(网上提供的出错代码)

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

重启ssh服务报错【Job for sshd.service failed because the control process exited with error code.】;使用命令systemctl status sshd.service查看启动状态,报错;使用sshd -T命令检测提示sshd_config配置文件有错【Bad SSH2 cipher spec】或【Bad SSH2 mac spec】,详情如下图

ssh服务启动报错,systemctl status sshd.service查看启动状态,sshd -T检查报错原因

解决方法

1、修改/etc/ssh/sshd_config文件

ssh客户端连接不进去,我们先用其他方式(比如阿里云的Workbench远程连接方式或者其他客户端winscp)登录,进去后在/etc/ssh/sshd_config文件中追加以下代码(整理后的正确代码,如果还有问题,按照步骤三检查添加的加密算法和服务器支持的是否一致)

Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,sntrup4591761x25519-sha512@tinyssh.org

2、重启ssh服务

CentOS 7命令:systemctl restart sshd.service
CentOS 6命令:service sshd restart
Ubuntu命令:sudo /etc/init.d/ssh restart

重启ssh服务, 再用ssh客户端登录,如果成功,问题解决;如果重启失败,继续下一步。

3、检查添加代码中的加密算法是否和服务器支持的一致

使用ssh -Q cipherssh -Q mac命令查看服务器支持的加密算法(ssh -Q cipher查看支持的cipher,ssh -Q mac 查看支持的mac),如若不一致,将添加的代码修改为服务器支持的加密算法,再次重启,ssh服务启动OK,链接OK。

root@iZrj94lwm4mnih5ssn7x6lZ:~# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
root@iZrj94lwm4mnih5ssn7x6lZ:~# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

问题原因

原因是SSH升级后,为了安全,默认不再采用原来的一些加密算法,需要手动添加服务器支持的加密算法。而ssh服务重启失败,是由于我们添加的加密算法和服务器提供的不一致。

最后附上Ubuntu和CentOS修改sshd_config后重启ssh失败的解决过程

Ubuntu重启ssh服务失败的解决过程

root@iZrj94lwm4mnih5ssn7x6lZ:~# sudo /etc/init.d/ssh restart
Restarting ssh (via systemctl): ssh.serviceJob for ssh.service failed because the control process exited with error code.
See "systemctl status ssh.service" and "journalctl -xe" for details.
failed!
root@iZrj94lwm4mnih5ssn7x6lZ:~# systemctl status ssh.service
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2022-03-16 16:46:02 CST; 37s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 35125 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=255/EXCEPTION)
Tasks: 2 (limit: 2340)
Memory: 4.4M
CPU: 7ms
CGroup: /system.slice/ssh.service
├─35076 sshd: root [priv]
└─35077 sshd: root [net]

Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Unit process 35076 (sshd) remains running after unit stopped.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Unit process 35077 (sshd) remains running after unit stopped.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: Failed to start OpenBSD Secure Shell server.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: Stopped OpenBSD Secure Shell server.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Start request repeated too quickly.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Failed with result 'exit-code'.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Unit process 35076 (sshd) remains running after unit stopped.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: ssh.service: Unit process 35077 (sshd) remains running after unit stopped.
Mar 16 16:46:02 iZrj94lwm4mnih5ssn7x6lZ systemd[1]: Failed to start OpenBSD Secure Shell server.
root@iZrj94lwm4mnih5ssn7x6lZ:~# sshd -T
/etc/ssh/sshd_config line 131: Bad SSH2 cipher spec 'aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc'.
root@iZrj94lwm4mnih5ssn7x6lZ:~# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
root@iZrj94lwm4mnih5ssn7x6lZ:~# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
root@iZrj94lwm4mnih5ssn7x6lZ:~# vim /etc/ssh/sshd_config
root@iZrj94lwm4mnih5ssn7x6lZ:~# sudo /etc/init.d/ssh restart
Restarting ssh (via systemctl): ssh.service.

CentOS重启ssh服务失败的解决过程

[root@iZrj974bqirdpo7lyi8a9eZ ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@iZrj974bqirdpo7lyi8a9eZ ~]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2022-03-17 10:02:44 CST; 21s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 708494 ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY (code=exited, status=255)
 Main PID: 708494 (code=exited, status=255)
    Tasks: 1 (limit: 23712)
   Memory: 9.6M
   CGroup: /system.slice/sshd.service
           └─708381 sshd: [accepted]
[root@iZrj974bqirdpo7lyi8a9eZ ~]# sshd -T
/etc/ssh/sshd_config line 153: Bad SSH2 cipher spec 'aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc'.
[root@iZrj974bqirdpo7lyi8a9eZ ~]# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[root@iZrj974bqirdpo7lyi8a9eZ ~]# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
[root@iZrj974bqirdpo7lyi8a9eZ ~]# vim /etc/ssh/sshd_config
[root@iZrj974bqirdpo7lyi8a9eZ ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
[root@iZrj974bqirdpo7lyi8a9eZ ~]# systemctl restart sshd.service

转载请注明:半亩方塘 » ssh链接报错Server responded “Algorithm negotiation failed”,修改sshd_config后,重启ssh服务失败