I'm running into an issue where a server was upgraded to RHEL 6.5, and we have automated bash scripts on an RHEL 5.9 install that connects through sftp and ssh commands.
Now, the new server only supports the ciphers aes128-ctr, aes192-ctr, and aes256-ctr.
I was able to update the ssh commands to use the -c option with aes256-ctr and this worked:
ssh -c aes256-ctr ${remote_host} ${my_command}
However, when I tried do the equivalent for sftp:
sftp -oCipher=aes256-ctr ${remote_host} <<< $'get /home/me/* me/'
I am getting an error that the client does not support the same ciphers as the server:
no matching cipher found: client
arcfour256,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
server aes128-ctr,aes192-ctr,aes256-ctr
These ssh and sftp command are executed on the same RHEL 5.9 box, so I'm wondering why this works for ssh and not sftp?
Also, how do fix this so I can connect using sftp without any client side changes?
Best Answer
The
Cipherdirective is for SSH version 1 (which is not in use nowadays).For SSH version 2, use the
Ciphers:See the
ssh_configman page.Though note that the
sftpsupports the-cswitch too. So there's no need for using the-o.See the
sftpman page:The option is supported since OpenSSH 5.4. The change is disguised as "Support most of scp(1)'s commandline arguments in sftp(1)".
Note the command-line argument
-cis primarily an equivalent to theCiphersdirective (while it can fall back to theCipher). Quote from thesshman page: