No common algorithm for key exchange

Help and Support
1

Hello forum,

What is the problem you are having with rclone?

The unix native ssh can connect but rclone fails with

NewFs: couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange;

What is your rclone version (output from rclone version)

rclone: Version "v1.54.0"

Which cloud storage system are you using? (eg Google Drive)

S3 as the destination

The command you were trying to run (eg rclone copy /tmp remote:tmp)

"rclone" "lsf" "--config=tmp.conf" "-vv" "vendor:/"

The rclone config contents with secrets removed.

[state-s3]
type = s3
env_auth = true
region = region
location_constraint = region
acl = bucket-owner-full-control
server_side_encryption = AES256
storage_class = STANDARD

[krx]
type = sftp
host = vendor.ip.address
user = vendor
port = port
use_insecure_cipher = true

A log from the command with the -vv flag

WRITING TO: tmp.conf
2021/12/29 08:17:26 DEBUG : rclone: Version "v1.54.0" starting with parameters ["rclone" "lsf" "--config=tmp.conf" "-vv" "krx:/"]
2021/12/29 08:17:26 DEBUG : Using config file from "/jenkins/workspace/gic/downloaders/krx_kidx_0108/tmp.conf"
2021/12/29 08:17:26 DEBUG : Creating backend with remote "krx:/"
2021/12/29 08:17:26 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:26 DEBUG : pacer: Rate limited, increasing sleep to 200ms
2021/12/29 08:17:27 DEBUG : pacer: low level retry 2/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:27 DEBUG : pacer: Rate limited, increasing sleep to 400ms
2021/12/29 08:17:27 DEBUG : pacer: low level retry 3/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:27 DEBUG : pacer: Rate limited, increasing sleep to 800ms
2021/12/29 08:17:28 DEBUG : pacer: low level retry 4/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:28 DEBUG : pacer: Rate limited, increasing sleep to 1.6s
2021/12/29 08:17:29 DEBUG : pacer: low level retry 5/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:29 DEBUG : pacer: Rate limited, increasing sleep to 2s
2021/12/29 08:17:30 DEBUG : pacer: low level retry 6/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:32 DEBUG : pacer: low level retry 7/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:34 DEBUG : pacer: low level retry 8/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:36 DEBUG : pacer: low level retry 9/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:38 DEBUG : pacer: low level retry 10/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/29 08:17:38 Failed to create file system for "krx:/": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1]
Build step 'Execute shell' marked build as failure

Additional infor

The vendor has mentioned their solution supported config are as below.

(1) Key exchange algorithms : GH_GROUP1_SHA1
(2) Encryption algorithms : AES128_CBC, 3DES_CBC, AES256_CBC
(3) Mac algorithms : HMAC_SHA1, HMAC_MD5
(4) Public key algorithms : SSH_RSA, SSH_DSS

So as the error indicates there is a clear mismatch.

The "use_insecure_cipher" does not help , please suggest.

Thanks,
Shirish

2

You have an old version.

Can you update and retest?

3

Exact same error even with the newer version

2021/12/31 01:35:05 DEBUG : rclone: Version "v1.57.0" starting with parameters ["/tmp/rclone-v1.57.0-linux-amd64/rclone" "lsf" "--config=tmp.conf" "-vv" "vendor:/"]
2021/12/31 01:35:05 DEBUG : Creating backend with remote "vendor:/"
2021/12/31 01:35:05 DEBUG : Using config file from "/jenkins/workspace/rands/downloaders/vendor_kidx_0108/tmp.conf"
2021/12/31 01:35:05 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:05 DEBUG : pacer: Rate limited, increasing sleep to 200ms
2021/12/31 01:35:06 DEBUG : pacer: low level retry 2/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:06 DEBUG : pacer: Rate limited, increasing sleep to 400ms
2021/12/31 01:35:06 DEBUG : pacer: low level retry 3/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:06 DEBUG : pacer: Rate limited, increasing sleep to 800ms
2021/12/31 01:35:07 DEBUG : pacer: low level retry 4/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:07 DEBUG : pacer: Rate limited, increasing sleep to 1.6s
2021/12/31 01:35:08 DEBUG : pacer: low level retry 5/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:08 DEBUG : pacer: Rate limited, increasing sleep to 2s
2021/12/31 01:35:09 DEBUG : pacer: low level retry 6/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:11 DEBUG : pacer: low level retry 7/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:13 DEBUG : pacer: low level retry 8/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:15 DEBUG : pacer: low level retry 9/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:17 DEBUG : pacer: low level retry 10/10 (error couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1])
2021/12/31 01:35:17 Failed to create file system for "vendor:/": NewFs: couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256], server offered: [diffie-hellman-group1-sha1]
Build step 'Execute shell' marked build as failure
4

I suggest you try troubleshooting by establishing an sftp connection using the sftp command in your OS, that is something like this:

sftp -v vendor.ip.address
user: vendor
password: ???
> pwd
> ls
> exit

Also please share the full output from rclone version, so we can see your OS etc.

5

The command line SFTP works correctly , apologies I should have added this detail earlier.
The latest test I did was for v1.57

# /test/rclone-v1.57.0-linux-amd64/rclone version
rclone v1.57.0
- os/version: centos 7.7.1908 (64 bit)
- os/kernel: 3.10.0-1062.12.1.el7.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.17.2
- go/linking: static
- go/tags: none
6

Perfect, here is my higly condensed view on the issue:

Your SFTP server only offers: diffie-hellman-group1-sha1
The closest match in rclone is: diffie-hellman-group-exchange-sha1 (with insecure_cipher=true)

I have found this 4 years old description of the two key exchange methods:

3.3. diffie-hellman-group-exchange-sha1

This set of ephemerally generated key exchange groups uses SHA-1 as defined in [RFC4419]. However, SHA-1 has security concerns provided in [RFC6194]. It is recommended that these key exchange groups NOT be used. This key exchange SHOULD NOT be used.

3.5. diffie-hellman-group1-sha1
This method uses [RFC7296] Oakley Group 2 (a 1024-bit MODP group) and SHA-1 [RFC3174]. Due to recent security concerns with SHA-1 [RFC6194] and with MODP groups with less than 2048 bits (see [LOGJAM] and [NIST-SP-800-131Ar1]), this method is considered insecure. This method is being moved from MUST to SHOULD NOT instead of MUST NOT only to allow a transition time to get off of it. There are many old implementations out there that may still need to use this key exchange, it should be removed from server implementations as quickly as possible.

It therefore seems like your vendor is far behind security wise and the reclone development team has decided that diffie-hellman-group1-sha1 is too insecure, that is "MUST NOT" (even when allowing insecure key exchange).

You may be able to create a personal workaround by modifying this piece of code:

but I wouldn't recommend it nor support it.

7

Thank you Ole , I appreciate all the help and for taking out the time and finding out the exact information with all pinpoint details.

This will help me to put my point across better.

Happy new year !

8

Thank you, happy new year!

9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.