Scanning SSH Servers

For administrative purposes, SSH is used quite often. Almost everyone in IT knows it. Keywords: OpenSSH, simply using “ssh <hostname>” on your machine, PuTTY for Windows, username + password or public key authentication, TCP port 22, simple firewall rules, ignoring the fingerprints 🤦‍♂️, SCP and SFTP. That’s it – basically.

However, it gets much more complicated if you look into the details. You have to deal with many different types and representations of fingerprints, as well as crypto algorithms. Troubleshooting specific connection problems is challenging.

To get an overview of your SSH server’s configuration is to scan them with appropriate tools. I’m showing two of them here: ssh_scan and the Nmap script “ssh2-enum-algos“.

I’m using an Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-139-generic x86_64) for the following.


An SSH configuration and policy scanner“. Unfortunately, the GitHub repository has been marked as deprecated. However, you can still install it:

Usage is simple: ssh_scan -t <hostname|ip>. The output gives you many insights about the keys (along with their fingerprints), the encryption-, mac-, and key-algorithms, SSHFP dns_keys, and so forth. IPv6 is preferred, as it should be.

This is a test run against an Ubuntu 18.04.6 LTS:

And this is against an old Cisco 2811 router with IOS version 12.3(8r)T7:

Note the recommendations and the grade.

Nmap Script ssh2-enum-algos

Another way is to use Nmap along with an NSE (Nmap Scripting Engine) script: ssh2-enum-algos. The call is simple as well: nmap --script ssh2-enum-algos <hostname|ip>. The output shows the algorithms only, as the name of the script suggests. As always with Nmap: If you want to scan via IPv6, you have to specify it with “-6” explicitly.

Again, this is a test run against the Ubuntu 18.04.6 LTS:

And this is against the old Cisco 2811 router with IOS version 12.3(8r)T7:


It’s just the very first step to merely look at your SSH servers. If you have to troubleshoot connection errors, you have to capture and analyse them in-depth. But if you want to know which protocols, keys, and so forth are possible, those SSH scanners do a great job.

If you want to improve your SSH server configuration, have a look at this guide.

Photo by Snowscat on Unsplash.

One thought on “Scanning SSH Servers

  1. I tried this on “Ubuntu 22.04.3 LTS” jammy and it didn’t work :-(

    $ sudo gem install ssh_scan
    Fetching sshkey-2.0.0.gem
    Fetching net-ssh-6.0.2.gem
    Fetching netaddr-2.0.4.gem
    Fetching bindata-2.4.3.gem
    Fetching bcrypt_pbkdf-1.0.1.gem
    Fetching ed25519-1.2.4.gem
    Fetching ssh_scan-0.0.44.gem

    $ ssh_scan -t tower
    # terminated with exception (report_on_exception is true):
    /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/openssl.rb:152:in public_key=': pkeys are immutable on OpenSSL 3.0 (OpenSSL::PKey::PKeyError)
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/openssl.rb:152:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/buffer.rb:325:in read_keyblob'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/buffer.rb:248:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:148:in block (2 levels) in keys_for'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:132:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:132:in block in keys_for'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:131:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:131:in keys_for'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:61:in
    block in search_in’
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:61:in each'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:61:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:61:in search_in'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/known_hosts.rb:55:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/session.rb:98:in host_keys'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/algorithms.rb:278:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/algorithms.rb:154:in initialize'
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/session.rb:88:in
    from /var/lib/gems/3.0.0/gems/net-ssh-6.0.2/lib/net/ssh/transport/session.rb:88:in initialize'
    from /var/lib/gems/3.0.0/gems/ssh_scan-0.0.44/lib/ssh_scan/scan_engine.rb:97:in
    from /var/lib/gems/3.0.0/gems/ssh_scan-0.0.44/lib/ssh_scan/scan_engine.rb:97:in scan_target'
    from /var/lib/gems/3.0.0/gems/ssh_scan-0.0.44/lib/ssh_scan/scan_engine.rb:184:in
    block (2 levels) in scan’

    This is with openssl 3.0.2-0ubuntu1.10 amd64

Leave a Reply

Your email address will not be published. Required fields are marked *