After upgrading my High Sierra to version 10.13.2, the ssh client service stopped working, displaying the following error:
"Unable to negotiate with "xxx" port "xxx": no matching cipher found. Their offer: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, rijndael-cbc @ lysator.liu.se"
Does anyone know how to solve or if it is bug?
iMac, macOS High Sierra (10.13.2), null
Yeah, same problem here. For now, you can work around this with ...
ssh -c 3des-cbc <user>@<hostname>
Or by modifying your ~/.ssh/config file with something like...
...
Ciphers 3des-cbc
...
Or, get your server admin to add one of the keys that shows up in ssh -v to the server's sshd_config.
Yeah, same problem here. For now, you can work around this with ...
ssh -c 3des-cbc <user>@<hostname>
Or by modifying your ~/.ssh/config file with something like...
...
Ciphers 3des-cbc
...
Or, get your server admin to add one of the keys that shows up in ssh -v to the server's sshd_config.
You can add "-oCiphers=+aes128-cbc" to get around this:
ssh -oCiphers=+aes128-cbc user@host
It seems like the update may have increased security a bit and removed the older ciphers from the defaults for SSH. You can also probably update your /etc/ssh/ssh_confg file to allow the older ciphers or update your terminal profile to do it for you when you use ssh...
amalyshev is correct. But to clarify:
sudo nano /etc/ssh/ssh_config
Find the line:
#
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
Insert a new line directly underneath and paste this line in:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Save the file and exit. ssh should work as usual.
Background:
This isn't so much an Apple thing as it is an OpenSSH thing. High Sierra's openssh has been updated to OpenSSH_7.6p1, which deprecates a bunch of older configs. Release notes are here. But basically they have removed support for the arcfour, blowfish and CAST ciphers. Older systems that are running old OpenSSH servers will still present old ciphers (eg my work NAS only supports up to aes256-cbc) so will need these as options.
If you follow amalyshev's instructions to the letter and simply uncomment the line you'll get an error similar to:
/etc/ssh/ssh_config line 33: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blo wfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour'.
This is because the arcfour, cast and blowfish ciphers are no longer supported.
Instead of modifying your entire system config, you can also add the configuration per host. Edit (or create, if your first one) ~/.ssh/config and add the host details. For example:
Host 192.168.0.1 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbcsudo nano /etc/ssh/ssh_config
Find the string:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
Uncomment it and your ssh will work as usual.
Very helpful... thank you!
Found solution which is working for me
http://www.rubycoloredglasses.com/2017/12/high-sierra-ssh-issue/
SSH Not Working After Update To 10.13.2 (HighSierra)