2019-07-10 10:01
浏览 232

配置rclone以支持diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1

Some quick background. I use rclone to transfer data to a SFTP server. rclone is written in Golang and uses lib crypto under the hood. When we try to establish ssh connection to SFTP server, we get the error message

couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1], server offered: [diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1].

crypto lib has added the support for diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 around 3 weeks ago, but needs to be opt-in. (See https://github.com/golang/crypto/commit/57b3e21c3d5606066a87e63cfe07ec6b9f0db000)

Obviously, the latest rclone version hasn’t opt-in those algorithms support yet. So the question is: Anyone know how to config rclone to opt-in algorithm support for diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dtbglv5450
    dtbglv5450 2019-07-12 07:17

    We have managed to opt-in those algorithms support and submitted a PR here: https://github.com/ncw/rclone/pull/3341

    Note: since those algorithms are considered insecure, your also need to use the exisiting rclone flag --sftp-use-insecure-cipher to make them available for SSH handshake.

    点赞 评论