0

I am using the openssh client on windows 10. It usually works fine but there are some machines which won't allow me to connect. As a workaround I can connect to these machines by using another ssh client like putty or teraterm, but I would really like to standardize on the windows ssh client.

Here's what happens:

C\U\t> ssh [email protected]
Unable to negotiate with 10.100.149.86 port 22: no matching cipher found. 
Their offer: 3des-cbc,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,
cast128-cbc,arcfour,arcfour128,arcfour256

Presumably, this means that the machine I am trying to connect to is expecting only certain types of ciphers, and it has kindly listed them for me.

That (reasonably?) leads me to think I can configure my client to just accept any/all of those ciphers. Googling around I find that I can specify ciphers in my user's ~/.ssh/config file.

So I create and edit a config file with the following content...

Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,cast128-cbc,arcfour,arcfour128,arcfour256

My expectation is that the above line in my ~/.ssh/config will allow my ssh client to work with the ciphers the remote machine is offering.

Does it? No! Here's what happens...

C\U\t> ssh [email protected]
C:\\Users\\someuser/.ssh/config line 1: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,cast128-cbc,arcfour,arcfour128,arcfour256'.

After this I tried various other permutations of the Ciphers line in my ssh config, omitting some ciphers, replacing "," with " ", etc. Nothing worked.

How can I fix this? I don't understand what is going on.

FWIW, the remote machine is just a terminal server. I suppose I could update its firmware but I would rather not mess around with that unless I have to. I only know that ssh encrypts communication, the actual cipher names are just gibberish to me. I understand that some are stronger than others but it is too much of a rabbit-hole to go down when I just want to get my work done.

Improve this question

1 Answer 1

Reset to default
1

Some of those ciphers are likely not supported at all by your local OpenSSH version, e.g. I'm pretty sure RC4 (arcfour) is long gone as is CAST, so the entire option is rejected.

You only need one, however, not all of them – so just add the still-acceptable AES-CBC to the list.

Note: use + to add the cipher to the standard list, instead of overwriting it – you don't want to weaken connections to all your working servers. (Especially as the compatibility issue goes both ways, i.e. if you force your client to use this old cipher list, you'll find that new servers don't offer those ciphers anymore, either...)

So the configuration you want is:

Ciphers +aes128-cbc,aes256-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group14-sha1
HostkeyAlgorithms +ssh-rsa
# If you authenticate using a keypair:
PubkeyAcceptedAlgorithms +ssh-rsa
Improve this answer
3
  • hey, it worked, thanks! How did you know to add KexAlgorithms and HostKeyAlgorithms ?
    – Angelo
    Commented Feb 2, 2022 at 15:11
  • 1
    A device that only supports CBC-mode ciphers (as opposed to modern AEAD modes that OpenSSH now requires) will almost certainly predate the addition of modern key-exchange algorithms as well (neither elliptic-curve ECDH, nor the SHA256 variants of traditional DH).
    – grawity_u1686
    Commented Feb 2, 2022 at 17:24
  • where do you put these settings? In ~/.ssh/config ?
    – majorgear
    Commented Jan 23 at 17:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .