Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: 'no common algorithms' against ubnt device #12982

Closed
bradfitz opened this issue Oct 19, 2015 · 7 comments
Closed

x/crypto/ssh: 'no common algorithms' against ubnt device #12982

bradfitz opened this issue Oct 19, 2015 · 7 comments
Milestone

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Oct 19, 2015

I have some of these little mFi mPower things (https://www.ubnt.com/mfi/mpower/) and they run a little Linux on 32-bit MIPS with 16 MB of RAM and dropbear ssh as the way to control it.

I wanted to use crypto/ssh against it, but I get "handshake failed: ssh: no common algorithms".

I modified the crypto/ssh code to show better errors, and I get:

$ cat officeamp.go
package main

import (
        "log"

        "golang.org/x/crypto/ssh"
) 

func main() {
        c, err := ssh.Dial("tcp", "10.0.0.136:22", &ssh.ClientConfig{
                User: "ubnt",
                Auth: []ssh.AuthMethod{ssh.Password("ubnt")},
        })
        if err != nil {
                log.Fatal(err)
        }
        log.Printf("got a %#v", c)
}
ante:officeamp $ go run officeamp.go
2015/10/18 18:18:41 ssh: handshake failed: ssh: no common algorithms: w.Cipher:
  client=["aes128-ctr" "aes192-ctr" "aes256-ctr" "aes128-gcm@openssh.com" "arcfour256" "arcfour128"]
  server=["aes128-cbc" "3des-cbc" "aes256-cbc" "twofish256-cbc" "twofish-cbc" "twofish128-cbc" "blowfish-cbc"]

Looks like it only does CBC.

I see there's an old bug about adding CBC ciphers (#4274) but it was closed as WorkingAsIntended.

Any possibility this can be opt-in in my ssh.ClientConfig?

/cc @hanwen @agl

@bradfitz
Copy link
Contributor Author

@bradfitz bradfitz commented Oct 19, 2015

@cespare, that line no longer exists.

@hanwen
Copy link
Contributor

@hanwen hanwen commented Oct 19, 2015

x/crypto has had improved error messages for a while as well. Git pull?

when did you buy this thing? Improved arcfour was defined in 2006 (https://www.ietf.org/rfc/rfc4345.txt). If this is the state of their security, then I hope this device doesn't control anything important.

@rsc rsc added this to the Unreleased milestone Oct 23, 2015
@bradfitz
Copy link
Contributor Author

@bradfitz bradfitz commented Oct 30, 2015

Indeed, my x/crypto repo was stuck in the past.

Applying this "fixes" it:

diff --git a/ssh/cipher.go b/ssh/cipher.go
index 3e06da0..2fe79fc 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@@ -117,7 +117,7 @@ var cipherModes = map[string]*streamCipherMode{

        // insecure cipher, see http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
        // uncomment below to enable it.
-       // aes128cbcID: {16, aes.BlockSize, 0, nil},
+       aes128cbcID: {16, aes.BlockSize, 0, nil},
 }

 // prefixLen is the length of the packet prefix that contains the packet length
diff --git a/ssh/common.go b/ssh/common.go
index 9fc739e..9dd77e6 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -28,6 +28,7 @@ var supportedCiphers = []string{
        "aes128-ctr", "aes192-ctr", "aes256-ctr",
        "aes128-gcm@openssh.com",
        "arcfour256", "arcfour128",
+       "aes128-cbc",
 }

 // supportedKexAlgos specifies the supported key-exchange algorithms in

Thanks!

@dzlab
Copy link

@dzlab dzlab commented May 6, 2016

I've the same problem but was able to fix it by adding "aes128-cbc" to supportedCiphers in $GOPATH/src/golang.org/x/crypto/ssh/common.go!!!
Is there a more appropriate way to do it??

@bradfitz
Copy link
Contributor Author

@bradfitz bradfitz commented May 6, 2016

@dzlab, see "permit use of CBC ciphers" commit above. You can now add it to your https://godoc.org/golang.org/x/crypto/ssh#Config

@golang golang locked and limited conversation to collaborators May 6, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.