"Unable to negotiate" and "no matching cipher found" errors when trying to connect with sftp.
This document (000020706) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Desktop 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP3
SUSE Linux Enterprise Desktop 15 SP3
[Unable to negotiate with X.X.X.X port 22: no matching cipher found. Their offer: blowfish-cbc, aes256-cbc]
There are two possible solutions:
1) Upgrade and harden the SFTP server so that it supports more secure ciphers (best solution);
2) As a workaround, force the SFTP client to select the legacy cipher supported by the SFTP server for encrypting the data transfers, using the -c parameter of the sftp command;
sftp -c aes128-cbc sftpuser@X.X.X.X
From sftp man page:
-c cipher Selects the cipher to use for encrypting the data transfers. This option is directly passed to ssh(1).
Block cipher mode of operation: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
SSH CBC vulnerability: https://www.kb.cert.org/vuls/id/958563
Plaintext Recovery Attacks Against SSH: https://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020706
- Creation Date: 22-Jul-2022
- Modified Date:22-Jul-2022
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com