[Bug 1771359] Re: No matching cipher found even if client and server have matching cipher
Joshua Powers
josh.powers at canonical.com
Wed May 16 14:29:05 UTC 2018
Here are some change log entries confirming my suspicion:
openssh (1:7.4p1-1) unstable; urgency=medium
* New upstream release (http://www.openssh.com/txt/release-7.4):
- ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the only
mandatory cipher in the SSH RFCs, this may cause problems connecting
to older devices using the default configuration, but it's highly
likely that such devices already need explicit configuration for key
exchange and hostkey algorithms already anyway.
openssh (1:7.3p1-1) unstable; urgency=medium
* New upstream release (http://www.openssh.com/txt/release-7.3):
- SECURITY: ssh(1), sshd(8): Fix observable timing weakness in the CBC
padding oracle countermeasures. Note that CBC ciphers are disabled by
default and only included for legacy compatibility.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1771359
Title:
No matching cipher found even if client and server have matching
cipher
Status in openssh package in Ubuntu:
Incomplete
Bug description:
Since Bionic upgrade (from Artful) I encounter problem to call HP
switch with SSH.
After the upgrade, trying to ssh some switch give me this message :
$ ssh 192.168.0.1
Unable to negotiate with 192.168.0.1 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,des-cbc
So, I look for supported cipher :
$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc at lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm at openssh.com
aes256-gcm at openssh.com
chacha20-poly1305 at openssh.com
I see that aes128-cbc seem both supported. So I try... :
$ ssh -c aes128-cbc 192.168.0.1
...and It's work !
Workaround :
I've added “ciphers aes128-cbc” to ~/.ssh/config file for each switch
I manage.
The ssh-client should detect automatically the good cipher ? No ?
Thank you for your attention.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: openssh-client 1:7.6p1-4
ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
Uname: Linux 4.15.0-20-generic x86_64
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
CurrentDesktop: GNOME
Date: Tue May 15 15:39:00 2018
EcryptfsInUse: Yes
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=fr_FR.UTF-8
SHELL=/bin/bash
RelatedPackageVersions:
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome 1:7.6p1-4
SSHClientVersion: OpenSSH_7.6p1 Ubuntu-4, OpenSSL 1.0.2n 7 Dec 2017
SourcePackage: openssh
UpgradeStatus: Upgraded to bionic on 2018-04-24 (21 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1771359/+subscriptions
More information about the foundations-bugs
mailing list