Skip to content

x/crypto/ssh: 'no common algorithms' against ubnt device #12982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bradfitz opened this issue Oct 19, 2015 · 7 comments
Closed

x/crypto/ssh: 'no common algorithms' against ubnt device #12982

bradfitz opened this issue Oct 19, 2015 · 7 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@bradfitz
Copy link
Contributor

I have some of these little mFi mPower things (https://www.ubnt.com/mfi/mpower/) and they run a little Linux on 32-bit MIPS with 16 MB of RAM and dropbear ssh as the way to control it.

I wanted to use crypto/ssh against it, but I get "handshake failed: ssh: no common algorithms".

I modified the crypto/ssh code to show better errors, and I get:

$ cat officeamp.go
package main

import (
        "log"

        "golang.org/x/crypto/ssh"
) 

func main() {
        c, err := ssh.Dial("tcp", "10.0.0.136:22", &ssh.ClientConfig{
                User: "ubnt",
                Auth: []ssh.AuthMethod{ssh.Password("ubnt")},
        })
        if err != nil {
                log.Fatal(err)
        }
        log.Printf("got a %#v", c)
}
ante:officeamp $ go run officeamp.go
2015/10/18 18:18:41 ssh: handshake failed: ssh: no common algorithms: w.Cipher:
  client=["aes128-ctr" "aes192-ctr" "aes256-ctr" "aes128-gcm@openssh.com" "arcfour256" "arcfour128"]
  server=["aes128-cbc" "3des-cbc" "aes256-cbc" "twofish256-cbc" "twofish-cbc" "twofish128-cbc" "blowfish-cbc"]

Looks like it only does CBC.

I see there's an old bug about adding CBC ciphers (#4274) but it was closed as WorkingAsIntended.

Any possibility this can be opt-in in my ssh.ClientConfig?

/cc @hanwen @agl
@cespare
Copy link
Contributor

cespare commented Oct 19, 2015

@bradfitz does it work if you uncomment this line?

https://github.com/golang/crypto/blob/9fb97e878da8d908d467cb8c62408c93ed0107b9/ssh/cipher.go#L120

@bradfitz
Copy link
Contributor Author

@cespare, that line no longer exists.

@cespare
Copy link
Contributor

cespare commented Oct 19, 2015

@bradfitz I see it on master. https://github.com/golang/crypto/blob/master/ssh/cipher.go#L120

@hanwen
Copy link
Contributor

hanwen commented Oct 19, 2015

x/crypto has had improved error messages for a while as well. Git pull?

when did you buy this thing? Improved arcfour was defined in 2006 (https://www.ietf.org/rfc/rfc4345.txt). If this is the state of their security, then I hope this device doesn't control anything important.

@rsc rsc added this to the Unreleased milestone Oct 23, 2015
@bradfitz
Copy link
Contributor Author

Indeed, my x/crypto repo was stuck in the past.

Applying this "fixes" it:

diff --git a/ssh/cipher.go b/ssh/cipher.go
index 3e06da0..2fe79fc 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@@ -117,7 +117,7 @@ var cipherModes = map[string]*streamCipherMode{

        // insecure cipher, see http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
        // uncomment below to enable it.
-       // aes128cbcID: {16, aes.BlockSize, 0, nil},
+       aes128cbcID: {16, aes.BlockSize, 0, nil},
 }

 // prefixLen is the length of the packet prefix that contains the packet length
diff --git a/ssh/common.go b/ssh/common.go
index 9fc739e..9dd77e6 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -28,6 +28,7 @@ var supportedCiphers = []string{
        "aes128-ctr", "aes192-ctr", "aes256-ctr",
        "aes128-gcm@openssh.com",
        "arcfour256", "arcfour128",
+       "aes128-cbc",
 }

 // supportedKexAlgos specifies the supported key-exchange algorithms in

Thanks!

@tobor tobor mentioned this issue Dec 21, 2015
Closed
@egoldschmidt egoldschmidt mentioned this issue Dec 29, 2015
Closed
@xor-gate xor-gate mentioned this issue Mar 16, 2016
Closed
@dzlab
Copy link

dzlab commented May 6, 2016

I've the same problem but was able to fix it by adding "aes128-cbc" to supportedCiphers in $GOPATH/src/golang.org/x/crypto/ssh/common.go!!!
Is there a more appropriate way to do it??

@bradfitz
Copy link
Contributor Author

bradfitz commented May 6, 2016

@dzlab, see "permit use of CBC ciphers" commit above. You can now add it to your https://godoc.org/golang.org/x/crypto/ssh#Config

@golang golang locked and limited conversation to collaborators May 6, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
6 participants
@bradfitz @hanwen @rsc @cespare @dzlab @gopherbot