CBC CIphers not enabled by default

[linuxus]

Hello folks,
I'm in the middle of doing an infrastructure deployment via Terrraform on a private cloud (OpenStack) and part of this deployment I'm creating resources (virtual routers). I have configuration steps for this virtual router that uses a ssh connection but there is an issue with the connection provisioner and here is the error:
ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com arcfour256 arcfour128], server offered: [aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se]

The virtual router has *-cbc cipher enabled and I cannot disabled it nor update it with *-ctr ciphers because it's virtual embedded appliance with a strip down proprietary OS. Was/is anyone was/is able to add option flag to use less secure cipher for ssh session from Terraform source code to include this option. I understand that Go crypto/ssh does not by default support *-cbc cipher but there are some legacy network gears that are using these old versions. All of these are in a private behind firewall secure datacenter and I'm less concerned about this security matter until the virtual router os is updated with better ciphers.

Thank you in advance,
Abdi

[jen20]

Hi @linuxus! Thanks for opening this issue. Unfortunately if go's crypto/sshdoesn't support this, there isn't much we can do without a significant amount of work. If it can support it we can definitely add tuning options to expose it. Right now though it doesn't look like this is possible - sorry! If you can find a way of making the crypto/ssh package connect successfully please feel free to reopen and we can take a second look.

[linuxus]

Hey James,
Thanks for the insight. You're correct in the crypto/ssh not supporting
this cypher and After looking little deeper I've downloaded
terraform source, updated crypto/ssh to include *-cbc cyphers and build
terraform. Now able to use connection (ssh) provisioner against legacy
resources.

Appreciate the help tho.
Abdi.

On Thursday, 3 March 2016, James Nugent notifications@github.com wrote:

Hi @linuxus https://github.com/linuxus! Thanks for opening this issue.
Unfortunately if go's crypto/sshdoesn't support this, there isn't much we
can do without a significant amount of work. If it can support it we can
definitely add tuning options to expose it. Right now though it doesn't
look like this is possible - sorry! If you can find a way of making the
crypto/ssh package connect successfully please feel free to reopen and we
can take a second look.

—
Reply to this email directly or view it on GitHub
#5279 (comment)
.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.