Fix unsupported cipher 'aes128-gcm'

[ClementJeannesson]

A recent update of Scalingo (March 24th 2023) deprecated some ciphers (encryption algorithms). As a consequence, it is impossible to connect to Scalingo-hosted databases through SSH tunneling using Paramiko, as Scalingo-compatible ciphers are no longer supported by Paramiko.

To be more precise, I get next error when I try to open my SSH tunnel:

>>> ssh_tunnel.start()
2023-03-29 10:40:30,109| ERROR   | Exception (client): Incompatible ssh server (no acceptable ciphers)
2023-03-29 10:40:30,112| ERROR   | Traceback (most recent call last):
2023-03-29 10:40:30,112| ERROR   |   File "/Users/clement.jeannesson/.pyenv/versions/test_paramiko/lib/python3.9/site-packages/paramiko/transport.py", line 2137, in run
2023-03-29 10:40:30,113| ERROR   |     self._handler_table[ptype](self, m)
2023-03-29 10:40:30,113| ERROR   |   File "/Users/clement.jeannesson/.pyenv/versions/test_paramiko/lib/python3.9/site-packages/paramiko/transport.py", line 2257, in _negotiate_keys
2023-03-29 10:40:30,113| ERROR   |     self._parse_kex_init(m)
2023-03-29 10:40:30,113| ERROR   |   File "/Users/clement.jeannesson/.pyenv/versions/test_paramiko/lib/python3.9/site-packages/paramiko/transport.py", line 2510, in _parse_kex_init
2023-03-29 10:40:30,113| ERROR   |     raise IncompatiblePeer(
2023-03-29 10:40:30,113| ERROR   | paramiko.ssh_exception.IncompatiblePeer: Incompatible ssh server (no acceptable ciphers)
2023-03-29 10:40:30,113| ERROR   | 
2023-03-29 10:40:30,113| ERROR   | Could not connect to gateway ssh.osc-fr1.scalingo.com:22 : Incompatible ssh server (no acceptable ciphers)

It seems Paramiko supports next ciphers: ('aes128-ctr', 'aes192-ctr', 'aes256-ctr', 'aes128-cbc', 'aes192-cbc', 'aes256-cbc', '3des-cbc'), while Scalingo removed ('aes128-ctr', 'aes192-ctr', 'aes256-ctr') to keep only
('chacha20-poly1305', 'aes128-gcm'), making Scalingo not compatible with the use of paramiko.

My request: is it possible to add support for the cipher 'aes128-gcm' ?

I tried to patch myself transport.py to add the missing cipher, with no success. I added 'aes128-gcm' in Transport._preferred_ciphers and

        "aes128-gcm": {
            "class": algorithms.AES,
            "mode": modes.GCM,
            "block-size": 16,
            "key-size": 16,
        },

in Transport._cipher_info. Is there something missing ?

Tests have been done using paramiko version 3.1.0, and Python 3.9.2.

[vikanezrimaya]

The cipher is actually called aes128-gcm@openssh.com, that's why it wasn't used. The problem is -- AES-GCM is an authenticated cipher, and when using the name of the cipher, Paramiko happily tries to use it -- but it doesn't append the authentication tag of the cipher, and a remote OpenSSH server rejects the packet as invalid (because it essentially is).

Reading through the source code, it seems like the packetizer is actually responsible for encrypting packets -- so it needs to be modified to properly use the AES-GCM ciphers and append the necessary authentication tags.

[vikanezrimaya]

While we're at it, might as well consider adding aes256-gcm@openssh.com and chacha20-poly1305@openssh.com to this list. These have essentially the same properties, and implementing support for one will make adding the others trivial.

[vikanezrimaya]

transport.py:2664 sets the outbound cipher for the packetizer. It seems to have some special handling for -ctr ciphers already. The Packetizer class is then responsible for building packets, and it encrypts them in the send_message() function (packet.py:405-412).

[vikanezrimaya]

The aes128-gcm@openssh.com and aes256-gcm@openssh.com ciphers were introduced in OpenSSH 6.2. The changelog says (Markdown formatting mine):

• ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in SSH protocol 2. The new cipher is available as aes128-gcm@openssh.com and aes256-gcm@openssh.com. It uses an identical packet format to the AES-GCM mode specified in RFC 5647, but uses simpler and different selection rules during key exchange.

[jun66j5]

Pull request #2157 has been proposed.

[bskinn]

Flagging this for consideration as part of #387.