[paramiko] alternate ciphers

Marcin Krol mrkafk at gmail.com
Wed Jan 27 03:40:18 PST 2010 

Hello James,

I'm sorry to say that it doesn't work:

james bardin wrote:

> I don't there's any way to set the security options with SSHClient, so
> you will have to use the Transport directly.
> 
> 
> ###############
> import paramiko
> import socket
> s = socket.socket()
> s.connect(('localhost', 22))
> t = paramiko.Transport(s)
> t.get_security_options().ciphers = ('arcfour128',)
> t.connect
> .....


Regardless of what I set  as .ciphers in transport (using both = and 
method _set_ciphers), the transport still uses original ciphers tuple.

The code:

         cph = transport.get_security_options()._get_ciphers()
         print 'orig ciphers', cph
         if 'blowfish-cbc' in cph:
             cph = list(cph)
             cph.remove('blowfish-cbc')
             cph = tuple(['blowfish-cbc'] + cph)
             #transport.get_security_options()._set_ciphers(cph)
             transport.get_security_options().ciphers = cph
             transport.get_security_options().ciphers = ('blowfish-cbc',)
         print 'ciphers', transport.get_security_options()._get_ciphers()
         channel = transport.open_session()
         scpcmd = 'scp -t -v %s\n' % self.rfpath
         try:
             channel.exec_command(scpcmd)
         except paramiko.SSHException, e:

I get:

orig ciphers ('aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc')
ciphers ('blowfish-cbc',)

So it changes the ciphers tuple.

But when I look into debug output on sshd on target machine, I get this:


Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,ar
cfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,ar
cfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha
1-96,hmac-md5-96
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha
1-96,hmac-md5-96
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
none,zlib at openssh.com
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
none,zlib at openssh.com
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit:
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit:
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
first_kex_follows 0
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: reserved 0
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
ssh-rsa,ssh-dss
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
aes128-cbc,blowfish-cbc,aes256-cbc,3des-cbc
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
aes128-cbc,blowfish-cbc,aes256-cbc,3des-cbc
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: none
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: none
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit:
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit:
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: 
first_kex_follows 0
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: kex_parse_kexinit: reserved 0
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: mac_init: found hmac-sha1
Jan 31 13:13:09 NC047017 sshd[31545]: debug1: kex: client->server 
aes128-cbc hmac-sha1 none
Jan 31 13:13:09 NC047017 sshd[31545]: debug2: mac_init: found hmac-sha1
Jan 31 13:13:09 NC047017 sshd[31545]: debug1: kex: server->client 
aes128-cbc hmac-sha1 none

So it uses aes128-cbc in both directions instead of selected cipher 
(blowfish).

In the docs I don't see any options to set cipher on channel -- does it 
have to be transport?

Please help...


Regards,
mk

More information about the paramiko mailing list