Enable arcfour and Other Fast Ciphers on Recent Versions of OpenSSH
22 Oct 2014
After a recent update to my Arch Linux box I noticed that some of my backup scripts started complaining about not being able to connect to my machine. The error message I was seeing was:
mgalgs@remote-host $ ssh -c arcfour my-machine no matching cipher found: client arcfour server aes128-ctr,aes192-ctr,aes256-ctr,email@example.com,firstname.lastname@example.org,email@example.com
This was after updating
$ grep openssh /var/log/pacman.log | tail -1 [2014-10-20 13:51] [PACMAN] upgraded openssh (6.6p1-2 -> 6.7p1-1)
no matching cipher found error message is a result of OpenSSH 6.7
disabling a few ciphers by default
for security reasons. However, I’m only making these connections within my
trusted LAN so frankly I don’t care about the security of my ssh cipher.
Heck, I’d even be ok with clear-text.
To get these fast (but insecure) ciphers back, you need to add a
Ciphers line to your
Check the man page on your system for the default value and just add
arcfour to it. You can also get a list of all available ciphers by
querying your system with
ssh -Q. Pipe that sucker into
paste and you
have yourself a line suitable for pasting into
$ ssh -Q cipher localhost | paste -d , -s - 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,firstname.lastname@example.org,aes128-ctr,aes192-ctr,aes256-ctr,email@example.com,firstname.lastname@example.org,email@example.com
Here’s what I ended up adding to my
# enable all ciphers! # obtained with ssh -Q cipher localhost | paste -d , -s - Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,firstname.lastname@example.org,aes128-ctr,aes192-ctr,aes256-ctr,email@example.com,firstname.lastname@example.org,email@example.com
Remember, only do this if you don’t care about security (i.e. you never accept connections from outside your trusted network).
blog comments powered by Disqus
- GitHub Profile
- Stack Overflow Careers Profile
- Stack Overflow Profile
- G+ Profile
- PGP Public Key
- Rafty -- Ripper and Friggin Transcoder, Y'all
- Make Readme Markdown
- Diffview Mode
- Indent Hints Mode
- Track That Thing
- Co-Founder & CEO of Directangular, LLC.
- Previously: Linux Kernel development for QuIC. Some of my work (a little stale) is available on the Code Aurora Forum, here, here, here, and here.
- My nerd hobby: Creating and contributing to a variety of Open Source projects. See my GitHub profile.