Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: SSH Not Working After Update To 10.13.2 (HighSierra)

After upgrading my High Sierra to version 10.13.2, the ssh client service stopped working, displaying the following error:

"Unable to negotiate with "xxx" port "xxx": no matching cipher found. Their offer: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, rijndael-cbc @ lysator.liu.se"

Does anyone know how to solve or if it is bug?

iMac, macOS High Sierra (10.13.2), null

Posted on

Reply
Question marked as Helpful

Dec 14, 2017 11:10 AM in response to douglas.exe In response to douglas.exe

Yeah, same problem here. For now, you can work around this with ...


ssh -c 3des-cbc <user>@<hostname>


Or by modifying your ~/.ssh/config file with something like...

...

Ciphers 3des-cbc

...


Or, get your server admin to add one of the keys that shows up in ssh -v to the server's sshd_config.

There’s more to the conversation

Read all replies
Question marked as Helpful

Dec 14, 2017 11:10 AM in response to douglas.exe In response to douglas.exe

Yeah, same problem here. For now, you can work around this with ...


ssh -c 3des-cbc <user>@<hostname>


Or by modifying your ~/.ssh/config file with something like...

...

Ciphers 3des-cbc

...


Or, get your server admin to add one of the keys that shows up in ssh -v to the server's sshd_config.

Dec 14, 2017 11:10 AM

Reply Helpful (6)

Jan 9, 2018 9:59 AM in response to douglas.exe In response to douglas.exe

You can add "-oCiphers=+aes128-cbc" to get around this:


ssh -oCiphers=+aes128-cbc user@host


It seems like the update may have increased security a bit and removed the older ciphers from the defaults for SSH. You can also probably update your /etc/ssh/ssh_confg file to allow the older ciphers or update your terminal profile to do it for you when you use ssh...

Jan 9, 2018 9:59 AM

Reply Helpful (1)

Jan 20, 2018 10:02 PM in response to amalyshev In response to amalyshev

amalyshev is correct. But to clarify:


sudo nano /etc/ssh/ssh_config


Find the line:

#
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour


Insert a new line directly underneath and paste this line in:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Save the file and exit. ssh should work as usual.

Background:

This isn't so much an Apple thing as it is an OpenSSH thing. High Sierra's openssh has been updated to OpenSSH_7.6p1, which deprecates a bunch of older configs. Release notes are here. But basically they have removed support for the arcfour, blowfish and CAST ciphers. Older systems that are running old OpenSSH servers will still present old ciphers (eg my work NAS only supports up to aes256-cbc) so will need these as options.

If you follow amalyshev's instructions to the letter and simply uncomment the line you'll get an error similar to:

/etc/ssh/ssh_config line 33: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blo wfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour'.

This is because the arcfour, cast and blowfish ciphers are no longer supported.

Jan 20, 2018 10:02 PM

Reply Helpful (1)

Jan 26, 2018 4:43 AM in response to douglas.exe In response to douglas.exe

Instead of modifying your entire system config, you can also add the configuration per host. Edit (or create, if your first one) ~/.ssh/config and add the host details. For example:


Host 192.168.0.1

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Jan 26, 2018 4:43 AM

Reply Helpful (1)
User profile for user: douglas.exe

Question: SSH Not Working After Update To 10.13.2 (HighSierra)