配置 rclone 以支持 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1
config rclone to support diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1
一些快速背景。我使用 rclone 将数据传输到 SFTP 服务器。 rclone 是用 Golang 编写的,并在底层使用 lib crypto。当我们尝试与 SFTP 服务器建立 ssh 连接时,我们收到错误消息
couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm
for key exchange; client offered: [curve25519-sha256@libssh.org
ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
diffie-hellman-group14-sha1 diffie-hellman-group1-sha1], server
offered: [diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1].
crypto 库大约在 3 周前添加了对 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 的支持,但需要选择加入。 (参见 https://github.com/golang/crypto/commit/57b3e21c3d5606066a87e63cfe07ec6b9f0db000)
显然,最新的 rclone 版本还没有选择加入这些算法支持。所以问题是:任何人都知道如何配置 rclone 以选择加入对 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1
的算法支持
我们已经设法 opt-in 这些算法支持并在此处提交了 PR:https://github.com/ncw/rclone/pull/3341
注意:由于这些算法被认为是不安全的,您还需要使用现有的 rclone 标志 --sftp-use-insecure-cipher 使它们可用于 SSH 握手。
交互式 rclone config 现在也提供启用不安全密码:
Enable the use of insecure ciphers and key exchange methods.
This enables the use of the following insecure ciphers and key exchange methods:
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
Those algorithms are insecure and may allow plaintext data to be recovered by an attacker.
Enter a boolean value (true or false). Press Enter for the default ("false").
Choose a number from below, or type in your own value
1 / Use default Cipher list.
\ "false"
2 / Enables the use of the aes128-cbc cipher and diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1 key exchange.
\ "true"
use_insecure_cipher> 2
一些快速背景。我使用 rclone 将数据传输到 SFTP 服务器。 rclone 是用 Golang 编写的,并在底层使用 lib crypto。当我们尝试与 SFTP 服务器建立 ssh 连接时,我们收到错误消息
couldn't connect SSH: ssh: handshake failed: ssh: no common algorithm for key exchange; client offered: [curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group14-sha1 diffie-hellman-group1-sha1], server offered: [diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1].
crypto 库大约在 3 周前添加了对 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 的支持,但需要选择加入。 (参见 https://github.com/golang/crypto/commit/57b3e21c3d5606066a87e63cfe07ec6b9f0db000)
显然,最新的 rclone 版本还没有选择加入这些算法支持。所以问题是:任何人都知道如何配置 rclone 以选择加入对 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1
我们已经设法 opt-in 这些算法支持并在此处提交了 PR:https://github.com/ncw/rclone/pull/3341
注意:由于这些算法被认为是不安全的,您还需要使用现有的 rclone 标志 --sftp-use-insecure-cipher 使它们可用于 SSH 握手。
交互式 rclone config 现在也提供启用不安全密码:
Enable the use of insecure ciphers and key exchange methods.
This enables the use of the following insecure ciphers and key exchange methods:
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group-exchange-sha1
Those algorithms are insecure and may allow plaintext data to be recovered by an attacker.
Enter a boolean value (true or false). Press Enter for the default ("false").
Choose a number from below, or type in your own value
1 / Use default Cipher list.
\ "false"
2 / Enables the use of the aes128-cbc cipher and diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1 key exchange.
\ "true"
use_insecure_cipher> 2