SSHException: Incompatible ssh server (no acceptable ciphers)

Discussion:

Robey Pointer

2009-02-16 08:35:39 UTC

Anyone have any suggestions for this error message ?
File "scm.py", line 331, in __init__
self.connection = ssh.Connection(host,username=user,password=pwd)
File "Q:\simplan\utils\nlp\ssh.py", line 37, in __init__
self._transport.connect(username = username, password = password)
File "build\bdist.win32\egg\paramiko\transport.py", line 971, in
connect
self.start_client()
File "build\bdist.win32\egg\paramiko\transport.py", line 440, in
start_client
raise e
SSHException: Incompatible ssh server (no acceptable ciphers)

If you turn on debug logging, you should be able to see the list of
ciphers the server supports.

(It must be a very odd list if they couldn't even find one cipher in
common.)

robey

2009-02-16 14:40:06 UTC

Permalink

putty can handle my server but this is what paramiko says:

DEB [20090216-15:36:38.515] thr=5 paramiko.transport: starting thread (client mode): 0x1d9e0f0L
INF [20090216-15:36:38.515] thr=5 paramiko.transport: Connected (version 2.0, client OpenSSH_4.2)
DEB [20090216-15:36:38.530] thr=5 paramiko.transport: kex algos:['diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['arcfour128', 'arcfour256', 'arcfour', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] server encrypt:['arcfour128', 'arcfour256', 'arcfour', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] client mac:['hmac-md5', 'hmac-sha1', 'hmac-ripemd160', 'hmac-***@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', 'hmac-ripemd160', 'hmac-***@openssh.com', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', '***@openssh.com'] server compress:['none', '***@openssh.com'] client lang:[''] server lang:[''] kex follows?False
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: Exception: Incompatible ssh server (no acceptable ciphers)
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: Traceback (most recent call last):
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: File "build\bdist.win32\egg\paramiko\transport.py", line 1513, in run
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: self._handler_table[ptype](self, m)
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: File "build\bdist.win32\egg\paramiko\transport.py", line 1585, in _negotiate_keys
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: self._parse_kex_init(m)
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: File "build\bdist.win32\egg\paramiko\transport.py", line 1725, in _parse_kex_init
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: raise SSHException('Incompatible ssh server (no acceptable ciphers)')
ERR [20090216-15:36:38.530] thr=5 paramiko.transport: SSHException: Incompatible ssh server (no acceptable ciphers)
ERR [20090216-15:36:38.530] thr=5 paramiko.transport:

----- Original Message ----
From: Robey Pointer <***@gmail.com>
To: jo <***@yahoo.com>; paramiko list <***@lag.net>
Sent: Monday, February 16, 2009 9:35:39 AM
Subject: Re: [paramiko] SSHException: Incompatible ssh server (no acceptable ciphers)

Anyone have any suggestions for this error message ?
File "scm.py", line 331, in __init__
self.connection = ssh.Connection(host,username=user,password=pwd)
File "Q:\simplan\utils\nlp\ssh.py", line 37, in __init__
self._transport.connect(username = username, password = password)
File "build\bdist.win32\egg\paramiko\transport.py", line 971, in connect
self.start_client()
File "build\bdist.win32\egg\paramiko\transport.py", line 440, in start_client
raise e
SSHException: Incompatible ssh server (no acceptable ciphers)

If you turn on debug logging, you should be able to see the list of ciphers the server supports.

(It must be a very odd list if they couldn't even find one cipher in common.)

robey

Robey Pointer

2009-02-16 19:03:37 UTC

Permalink

Post by jo
['arcfour128', 'arcfour256', 'arcfour', 'aes128-ctr', 'aes192-ctr',
'aes256-ctr']

That encryption list is, in fact, truly bizarre.

By not supporting blowfish, the server is technically out of spec.

robey

2009-02-17 12:16:11 UTC

Permalink

That is funny :) Unfortunately I'm stuck with this box. How does putty do it then ?

Some more info:

hn :~ # uname -a
Linux hn 2.6.16.54-0.2.3-smp #1 SMP Thu Nov 22 18:32:07 UTC 2007 x86_64 x86_64 x86_64 GNU/Linux
hn :~ # rpm -qa | grep ssh
openssh-4.2p1-18.30
hn :~ #

I know it is a suse os.

Can I convince this server to support more ciphers ?

Tx
Jo

----- Original Message ----
From: Robey Pointer <***@gmail.com>
To: jo <***@yahoo.com>; paramiko list <***@lag.net>
Sent: Monday, February 16, 2009 8:03:37 PM
Subject: Re: [paramiko] SSHException: Incompatible ssh server (no acceptable ciphers)

Post by jo
['arcfour128', 'arcfour256', 'arcfour', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr']

That encryption list is, in fact, truly bizarre.

By not supporting blowfish, the server is technically out of spec.

robey

Robey Pointer

2009-02-17 21:25:58 UTC

Permalink

Post by jo
That is funny :) Unfortunately I'm stuck with this box. How does putty do it then ?

In case that wasn't a rhetorical question: I assume putty implements
arcfour or aes-ctr. :)

Aes-ctr would be the easiest to add support for. It looks like recent
versions of PyCrypto even have CTR already. You might try this patch
and see if it helps (untested):

diff --git a/paramiko/transport.py b/paramiko/transport.py
index fa6112a..5e9e24d 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -208,6 +208,10 @@ class Transport (threading.Thread):
'aes256-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-
size': 16, 'key-size': 32 },
'3des-cbc': { 'class': DES3, 'mode': DES3.MODE_CBC, 'block-
size': 8, 'key-size': 24 },
}
+ if 'MODE_CTR' in dir(AES):
+ _cipher_info['aes128-ctr'] = { 'class': AES, 'mode':
AES.MODE_CTR, 'block-size': 16, 'key-size': 16 }
+ _cipher_info['aes256-ctr'] = { 'class': AES, 'mode':
AES.MODE_CTR, 'block-size': 32, 'key-size': 32 }
+

_mac_info = {
'hmac-sha1': { 'class': SHA, 'size': 20 },

robey

2009-02-23 14:52:19 UTC

Permalink

How can I update this transport.py file ? It is hidden in an egg?

Thanks
J

D:\Python25\Lib\site-packages>dir /s paramiko*
Volume in drive D is Data
Volume Serial Number is E457-3209

Directory of D:\Python25\Lib\site-packages

30/05/2008 14:45 290.074 paramiko-1.7.3-py2.5.egg
23/02/2009 15:29 296.461 paramiko-1.7.4-py2.5.egg
2 File(s) 586.535 bytes

Total Files Listed:
2 File(s) 586.535 bytes
0 Dir(s) 98.709.901.312 bytes free

D:\Python25\Lib\site-packages>

----- Original Message ----
From: Robey Pointer <***@gmail.com>
To: jo <***@yahoo.com>; paramiko list <***@lag.net>
Sent: Tuesday, February 17, 2009 10:25:58 PM
Subject: Re: [paramiko] SSHException: Incompatible ssh server (no acceptable ciphers)

Post by jo
That is funny :) Unfortunately I'm stuck with this box. How does putty do it then ?

In case that wasn't a rhetorical question: I assume putty implements arcfour or aes-ctr. :)

Aes-ctr would be the easiest to add support for. It looks like recent versions of PyCrypto even have CTR already. You might try this patch and see if it helps (untested):

diff --git a/paramiko/transport.py b/paramiko/transport.py
index fa6112a..5e9e24d 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -208,6 +208,10 @@ class Transport (threading.Thread):
'aes256-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 32 },
'3des-cbc': { 'class': DES3, 'mode': DES3.MODE_CBC, 'block-size': 8, 'key-size': 24 },
}
+ if 'MODE_CTR' in dir(AES):
+ _cipher_info['aes128-ctr'] = { 'class': AES, 'mode': AES.MODE_CTR, 'block-size': 16, 'key-size': 16 }
+ _cipher_info['aes256-ctr'] = { 'class': AES, 'mode': AES.MODE_CTR, 'block-size': 32, 'key-size': 32 }
+

_mac_info = {
'hmac-sha1': { 'class': SHA, 'size': 20 },

robey