Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com arcfour256 arcfour128], server offered: [aes256-cbc 3des-cbc aes128-cbc] #20201

Closed
CameronGo opened this issue May 1, 2017 · 13 comments
Milestone

Comments

@CameronGo
Copy link

@CameronGo CameronGo commented May 1, 2017

Please answer these questions before submitting your issue. Thanks!

We onboarded a new client with a new SFTP endpoint and are seeing an error message we never encountered. What is the configuration I need to use to allow the CBC ciphers?

Error
ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com arcfour256 arcfour128], server offered: [aes256-cbc 3des-cbc aes128-cbc]

What version of Go are you using (go version)?

1.8.1

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"

from the current golang docker image

What did you do?

Attempting connection to SFTP host

What did you expect to see?

Successful authentication and connection

What did you see instead?

ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com arcfour256 arcfour128], server offered: [aes256-cbc 3des-cbc aes128-cbc]

@bradfitz bradfitz changed the title ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com arcfour256 arcfour128], server offered: [aes256-cbc 3des-cbc aes128-cbc] x/crypto/ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com arcfour256 arcfour128], server offered: [aes256-cbc 3des-cbc aes128-cbc] May 1, 2017
@gopherbot gopherbot added this to the Unreleased milestone May 1, 2017
@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented May 1, 2017

/cc @hanwen

@hanwen
Copy link
Contributor

@hanwen hanwen commented May 2, 2017

works as intended. 3DES is deprecated, and the CBC ciphers have weaknesses, so they're disabled by default.

@hanwen hanwen closed this May 2, 2017
@CameronGo
Copy link
Author

@CameronGo CameronGo commented May 2, 2017

@hanwen - can I allow the CBC cipher using the ssh.ClientConfig options, or does this require forking the package as discussed here? #13776

@hanwen
Copy link
Contributor

@hanwen hanwen commented May 2, 2017

just try it. it should work.

@CameronGo
Copy link
Author

@CameronGo CameronGo commented May 9, 2017

Ended up finding an example of how to use this from one of the unit tests:
https://gondolaweb.com/doc/src/golang.org/x/crypto/ssh/test/session_test.go

Specifically with how to go about appending a cipher to the existing defaults as in here:

func TestCiphers(t *testing.T) {
	var config ssh.Config
	config.SetDefaults()
	cipherOrder := config.Ciphers
	// These ciphers will not be tested when commented out in cipher.go it will
	// fallback to the next available as per line 292.
	cipherOrder = append(cipherOrder, "aes128-cbc", "3des-cbc")

	for _, ciph := range cipherOrder {
		server := newServer(t)
		defer server.Shutdown()
		conf := clientConfig()
		conf.Ciphers = []string{ciph}
		// Don't fail if sshd doesn't have the cipher.
		conf.Ciphers = append(conf.Ciphers, cipherOrder...)
		conn, err := server.TryDial(conf)
		if err == nil {
			conn.Close()
		} else {
			t.Fatalf("failed for cipher %q", ciph)
		}
	}
}
@Mebus
Copy link

@Mebus Mebus commented May 11, 2017

hm. This doesn't work for me. Is this correct?

var sshconfig ssh.Config sshconfig.SetDefaults() cipherOrder := sshconfig.Ciphers cipherOrder = append(cipherOrder, "aes128-cbc", "3des-cbc")
// Authentication
config := &ssh.ClientConfig{
	Config: sshconfig,
	User:   "ciscouser",
	//Auth: []ssh.AuthMethod{SSHAgent()},
	//alternatively, you could use a password
	Auth:            []ssh.AuthMethod{ssh.Password("blablabla")},
	HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}

I think I am going to have to use telnet instead of ssh...

Mebus

@hanwen
Copy link
Contributor

@hanwen hanwen commented May 11, 2017

you're not changing the slice inside sshconfig

@Mebus
Copy link

@Mebus Mebus commented May 11, 2017

What do I have to change?

Mebus

@hanwen
Copy link
Contributor

@hanwen hanwen commented May 11, 2017

config.ciphers = append(config.ciphers, ...)

@Mebus
Copy link

@Mebus Mebus commented May 11, 2017

It's in there, but the github is formatting it badly:

cipherOrder = append(cipherOrder, "aes128-cbc", "3des-cbc")

Like this?

Mebus

@hanwen
Copy link
Contributor

@hanwen hanwen commented May 11, 2017

you're not changing config.Ciphers, you're just changing cipherOrder

@Mebus
Copy link

@Mebus Mebus commented May 11, 2017

aaaahh!!! My fault. Working now :-)

sshconfig.Ciphers = append(cipherOrder, "3des-cbc")

Thanks. :-)

Mebus

@thinkt4nk
Copy link

@thinkt4nk thinkt4nk commented Mar 13, 2018

is there documentation somewhere that lists supported ciphers?

it-noob added a commit to it-noob/autossh that referenced this issue Aug 7, 2018
增加go的crypto的客户端加密方式的配置,官方默认未启用一些安全级别低的加密方式,但是由于某些服务器的操作系统版本低,仍然需要配置,否则会ssh握手失败,具体官方说明请参考golang/go#20201
@golang golang locked and limited conversation to collaborators Mar 13, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.