Question

Having problem with remote login on Ubuntu after being updated to 15.04

I updated my server from 14.1 to 15.04 and I having issues logging in with one of my IDE’s. I kept getting this errror,

establishing sftp connection failed no suitable key exchange algorithm could be agreed

I found this page with a solution https://nikinuryadin.wordpress.com/2015/05/19/aptana-studio-3-sftp-key-exchange/

It says to add this line to my /etc/ssh/sshd_config file

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

My question is, will this weaken my security or cause any major security risks by adding these ciphers?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Andrew SBJune 2, 2016

A number of those ciphers have been deemed as legacy by the OpenSSH team and are no longer supported by default. While for some attacks are still just theoretical, it’s still encouraged to regenerate your keys to use stronger a cipher. diffie-hellman-group1-sha1 in particular was commonly used. You can read more about its weaknesses here:

We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.

You can regenerate the server’s host keys using:

sudo dpkg-reconfigure openssh-server

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up