You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

SSH Not Working After Update To 10.13.2 (HighSierra)

After upgrading my High Sierra to version 10.13.2, the ssh client service stopped working, displaying the following error:

"Unable to negotiate with "xxx" port "xxx": no matching cipher found. Their offer: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, rijndael-cbc @ lysator.liu.se"

Does anyone know how to solve or if it is bug?

iMac, macOS High Sierra (10.13.2), null

Posted on Dec 12, 2017 6:25 AM

Reply
Question marked as Top-ranking reply

Posted on Dec 14, 2017 11:10 AM

Yeah, same problem here. For now, you can work around this with ...


ssh -c 3des-cbc <user>@<hostname>


Or by modifying your ~/.ssh/config file with something like...

...

Ciphers 3des-cbc

...


Or, get your server admin to add one of the keys that shows up in ssh -v to the server's sshd_config.

7 replies

Jan 9, 2018 9:59 AM in response to douglas.exe

You can add "-oCiphers=+aes128-cbc" to get around this:


ssh -oCiphers=+aes128-cbc user@host


It seems like the update may have increased security a bit and removed the older ciphers from the defaults for SSH. You can also probably update your /etc/ssh/ssh_confg file to allow the older ciphers or update your terminal profile to do it for you when you use ssh...

Jan 20, 2018 10:02 PM in response to amalyshev

amalyshev is correct. But to clarify:


sudo nano /etc/ssh/ssh_config


Find the line:

#
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour


Insert a new line directly underneath and paste this line in:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Save the file and exit. ssh should work as usual.

Background:

This isn't so much an Apple thing as it is an OpenSSH thing. High Sierra's openssh has been updated to OpenSSH_7.6p1, which deprecates a bunch of older configs. Release notes are here. But basically they have removed support for the arcfour, blowfish and CAST ciphers. Older systems that are running old OpenSSH servers will still present old ciphers (eg my work NAS only supports up to aes256-cbc) so will need these as options.

If you follow amalyshev's instructions to the letter and simply uncomment the line you'll get an error similar to:

/etc/ssh/ssh_config line 33: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blo wfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour'.

This is because the arcfour, cast and blowfish ciphers are no longer supported.

SSH Not Working After Update To 10.13.2 (HighSierra)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.