Read more

Net::SSH::Exception: could not settle on encryption_client algorithm

Thomas Eisenbarth
December 14, 2016Software engineer at makandra GmbH

TL;DR: Update the 'net-ssh' gem by adding to your Gemfile:

gem 'net-ssh', '=2.9.1'
Illustration online protection

Rails Long Term Support

Rails LTS provides security patches for old versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2)

  • Prevents you from data breaches and liability risks
  • Upgrade at your own pace
  • Works with modern Rubies
Read more Show archive.org snapshot

Now run bundle update net-ssh. It has no dependencies so it shouldn't update other gems.

If you're using Ruby 1.8.7 and want to update net-ssh to a version > 2.9.1 you also need to add this to your gemfile:

gem 'backports', :require => false

... and in your deploy.rb add this:

require 'backports/1.9.2/array/select' 

Background

You propably have an older version of Capistrano and thereby an older version of net-ssh which is used by Capistrano to connect to your remote servers. From time to time, crypto ciphers used by SSH are removed (on servers) because of weak security or vulnerabilities of underlying algorithms.

If you try to connect with an old SSH client that tries to connect with such an old cipher, you will see a error like that on your server:

fatal: Unable to negotiate with 1.2.3.4 port 52296: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]

You'll need a client that offers newer, secure ciphers to your server to connect. Therefore, update your client or client library!

Posted by Thomas Eisenbarth to makandra dev (2016-12-14 15:43)