paramiko in AKS seems can not support unchanged

[xudifsd]

Hi, I ran same program as this in AKS service. And program output with:

DEBUG:paramiko.transport:starting thread (client mode): 0x6b27d410L
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_1.16.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_7.2p2)
DEBUG:paramiko.transport:kex algos:[u'curve25519-sha256@libssh.org'] server key:[u'ssh-rsa', u'rsa-sha2-512', u'rsa-sha2-256', u'ecdsa-sha2-nistp256', u'ssh-ed25519'] client encrypt:[u'chacha20-poly1305@openssh.com', u'aes256-gcm@openssh.com', u'aes128-gcm@openssh.com', u'aes256-ctr', u'aes192-ctr', u'aes128-ctr'] server encrypt:[u'chacha20-poly1305@openssh.com', u'aes256-gcm@openssh.com', u'aes128-gcm@openssh.com', u'aes256-ctr', u'aes192-ctr', u'aes128-ctr'] client mac:[u'hmac-sha2-512-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'umac-128-etm@openssh.com'] server mac:[u'hmac-sha2-512-etm@openssh.com', u'hmac-sha2-256-etm@openssh.com', u'umac-128-etm@openssh.com'] client compress:[u'none', u'zlib@openssh.com'] server compress:[u'none', u'zlib@openssh.com'] client lang:[u''] server lang:[u''] kex follows?False
ERROR:paramiko.transport:Exception: Incompatible ssh peer (no acceptable kex algorithm)
ERROR:paramiko.transport:Traceback (most recent call last):
ERROR:paramiko.transport:  File "/usr/lib/python2.7/dist-packages/paramiko/transport.py", line 1790, in run
ERROR:paramiko.transport:    self._handler_table[ptype](self, m)
ERROR:paramiko.transport:  File "/usr/lib/python2.7/dist-packages/paramiko/transport.py", line 1883, in _negotiate_keys
ERROR:paramiko.transport:    self._parse_kex_init(m)
ERROR:paramiko.transport:  File "/usr/lib/python2.7/dist-packages/paramiko/transport.py", line 2009, in _parse_kex_init
ERROR:paramiko.transport:    raise SSHException('Incompatible ssh peer (no acceptable kex algorithm)')
ERROR:paramiko.transport:SSHException: Incompatible ssh peer (no acceptable kex algorithm)
ERROR:paramiko.transport:
Connection Failed!
Incompatible ssh peer (no acceptable kex algorithm)

Seems this was due to curve25519-sha256@libssh.org not supported in paramiko?

[radssh]

Paramiko currently supports the following key exchange algorithms (

paramiko/paramiko/transport.py

Lines 172 to 180 in 4265292

	_preferred_kex = (
	"ecdh-sha2-nistp256",
	"ecdh-sha2-nistp384",
	"ecdh-sha2-nistp521",
	"diffie-hellman-group-exchange-sha256",
	"diffie-hellman-group-exchange-sha1",
	"diffie-hellman-group14-sha1",
	"diffie-hellman-group1-sha1",
	)

):

Per https://ssh-comparison.quendi.de/comparison/kex.html it appears that algorithm is currently in draft status, and supported by a moderate number of SSH implementations. Is there a rigid requirement that the server configuration supports only that kex option, rather than a list that permits falling back to one of the more commonly supported algorithms?

[ploxiln]

looks like this is implemented in #1258 which you could try to test

[xudifsd]

@radssh Yes, as I stated before, we are building a service that will be deployed in AKS, but seems the only default KEX algorithm is curve25519-sha256@libssh.org which I do not know why. Current workaround is sshing with commandline and change its /etc/ssh/sshd_config manually. Below is the default setting from AKS sshd, hope it helpful:

$ sudo grep -e Ciphers -e MACs -e KexAlgorithms /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com