paramiko Incompatible ssh peer (no acceptable kex algorithm)

Question

I'm getting the following error when trying to ssh to a Cisco ACS device using the paramiko library. I've used paramiko in python without issue, and I can ssh to this box from the command line, or using putty without issue. I've turned on debugging and copied the info here. Please let me know if you can help me out.

import paramiko import sys import socket  try:     paramiko.common.logging.basicConfig(level=paramiko.common.DEBUG)     sshConnection = paramiko.SSHClient()     sshConnection.set_missing_host_key_policy(paramiko.AutoAddPolicy())     sshConnection.connect('server',username='username',password='password') except paramiko.BadAuthenticationType:     sys.stdout.write('Bad Password!\n')          sys.exit() except paramiko.SSHException, sshFail:     sys.stdout.write('Connection Failed!\n')     sys.stdout.write('%s\n' % sshFail)     sys.exit() except socket.error, socketFail:     sys.stdout.write('Failed to open socket\n')     sys.stdout.write('%s\n' % socketFail)     sys.exit() 

and the debug output returned:

DEBUG:paramiko.transport:starting thread (client mode): 0x14511d0L INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_5.3) DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha1'] server key:['ssh-rsa'] client encrypt:['aes256-cbc', 'aes128-cbc', '3des-cbc'] server encrypt:['aes256-cbc', 'aes128-cbc', '3des-cbc'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none', '[email protected]'] server compress:['none', '[email protected]'] client lang:[''] server lang:[''] kex follows?False ERROR:paramiko.transport:Exception: Incompatible ssh peer (no acceptable kex algorithm) ERROR:paramiko.transport:Traceback (most recent call last): ERROR:paramiko.transport:  File "build\bdist.win32\egg\paramiko\transport.py", line 1546, in run ERROR:paramiko.transport:    self._handler_table[ptype](self, m) ERROR:paramiko.transport:  File "build\bdist.win32\egg\paramiko\transport.py", line 1618, in _negotiate_keys ERROR:paramiko.transport:    self._parse_kex_init(m) ERROR:paramiko.transport:  File "build\bdist.win32\egg\paramiko\transport.py", line 1731, in _parse_kex_init ERROR:paramiko.transport:    raise SSHException('Incompatible ssh peer (no acceptable kex algorithm)') ERROR:paramiko.transport:SSHException: Incompatible ssh peer (no acceptable kex algorithm) ERROR:paramiko.transport: Connection Failed! Incompatible ssh peer (no acceptable kex algorithm) 

I've made sure I have the most recent versions of pycrypto and paramiko installed.

Answer 1

I was having similar issue with Debian 8 and OpenSSH on the server side.

As a quick fix, the following Cipher/MACs/KexAlgorithms settings on the server side fixes the issue:

In /etc/ssh/sshd_config:

Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 

Though... you should analyze those settings from the security point of view. I set it in lab env, so didn't take care about it.

Also not sure if you can modify it in this way for Cisco ACS

Answer 2

I upgraded the paramiko to fix the problem:

 sudo pip install paramiko --upgrade 

My updated version of paramiko is:

paramiko==2.0.2