I am trying to use Windows native OpenSSH with git. I followed Posh Security on how to get everything configured. I also added this to my C:\Users\UserID\.ssh\config file
Ciphers aes256-cbc,aes192-cbc,aes128-cbc
However, I am unable to get it to work. I am receiving the following error message.
Unable to negotiate with 129.176.176.111 port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc
Here is the debug output from trying to connect to the server.
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\M112581/.ssh/config
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolving "tfs.mayo.edu" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to tfs.mayo.edu [129.176.176.111] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\M112581/.ssh/id_rsa type 0
debug3: Failed to open file:C:/Users/M112581/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/M112581/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/M112581/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\M112581/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version SSHBlackbox.10
debug1: no match: SSHBlackbox.10
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to tfs.mayo.edu:22 as 'm112581'
debug3: hostkeys_foreach: reading file "C:\\Users\\M112581/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file C:\\Users\\M112581/.ssh/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from tfs.mayo.edu
debug3: Failed to open file:C:/Users/M112581/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes256-cbc,aes192-cbc,aes128-cbc
debug2: ciphers stoc: aes256-cbc,aes192-cbc,aes128-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none,zlib,[email protected]
debug2: compression stoc: none,zlib,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group14-sha1
debug1: kex: host key algorithm: ssh-rsa
Unable to negotiate with 129.176.176.111 port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc
When I add the -c with one of the offered ciphers, (e.g. aes256-cbc), it is able to negotiate.
ssh -c aes256-cbc 129.176.176.111
debug1: Authentication succeeded (publickey).
Authenticated to tfs.mayo.edu ([129.176.176.111]:22)
Can anyone help me figure out why the connection is failing when using git? Why isn't one of the ciphers within my C:\Users\UserID\.ssh\config file being used?
Directives in the .ssh/config file need to be within a Host block, so you might want to write something like this:
Host tfs.mayo.edu
Ciphers [email protected],aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
Note that the key exchange algorithms and ciphers you're using are known to be insecure, and OpenSSH will likely drop support for them in the future. Since they're insecure, you don't want to restrict yourself to only those ciphers, but instead put them at the end of the list prefaced by more secure ciphers. That way, if the server gets upgraded to support better ciphers, you automatically use them, instead of continuing to use the insecure ones.
You should contact your administrator and ask them to upgrade TFS to a fixed version that doesn't have these vulnerabilities.