Bug #64802 Missing AES-128-CBC cipher in outdated paramiko causes cannot open SSH tunnel
Submitted: 29 Mar 2012 15:45 Modified: 27 Dec 2012 21:43
Reporter: Mike H Email Updates:
Status: Closed Impact on me:
Category:MySQL Workbench Severity:S2 (Serious)
Version:5.2.38 (8753) OS:Mac OS X
Assigned to: CPU Architecture:Any
Tags: Contribution, macos, ssh

[29 Mar 2012 15:45] Mike H
MySQL Workbench fails to connect with TCP/IP over SSH and displays the following error...

Cannot open SSH Tunnel: Error connecting SSH tunnel: No existing session

This error is masking the following error from paramiko/pkey.py

SSHException('Unknown private key cipher "AES-128-CBC"',)

OpenSSL private keys generated with a passphrase on MacOS via ssh-keygen use an AES-128-CBC cipher block:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC

Normally this would be resolved by paramiko trying SSH agent keys... EXCEPT when you have many keys and the server responds with Too many authentication failures after MaxAuthTries.

eg some connections work... others fail depending on the order of the keys provided by the agent. ie the order in known_hosts

To resolve this... please add the cipher table entry and imports for AES-128-CBC to the bundled version of paramiko/pkey.py

How to repeat:
Setup at least 7 connections via TCP/IP over SSH that use private keys with passphrases generated on MacOS using ssh-keygen

ie more than the MaxAuthTries

The last connection added will fail to connect in MySQL Workbench with:

Cannot open SSH Tunnel: Error connecting SSH tunnel: No existing session

Suggested fix:
The bundled version of paramiko/pkey.py should be updated to support OpenSSL keys with the following changes...

-from Crypto.Cipher import DES3
+from Crypto.Cipher import DES3, AES

     # known encryption types for private key files:
     _CIPHER_TABLE = {
+        'AES-128-CBC': { 'cipher': AES, 'keysize': 16, 'blocksize': 16, 'mode': AES.MODE_CBC },
         'DES-EDE3-CBC': { 'cipher': DES3, 'keysize': 24, 'blocksize': 8, 'mode': DES3.MODE_CBC }
[29 Mar 2012 15:52] Mike H
Full commit for openssl keys support in paramiko is here...

[29 Mar 2012 18:05] Valeriy Kravchuk
Thank you for the problem report and patch.
[11 Jul 2012 11:01] Mike H
Hi, when will this be fixed?

Still not in 5.2.40 (8790)...
[27 Dec 2012 21:43] Philip Olson
Fixed as of MySQL Workbench 5.2.45, and here's the changelog entry:

Having multiple connections with TCP/IP over SSH could cause MySQL Workbench
to not connect when exceeding "MaxAuthTries". This may happen if an
encryption type is unknown. The bundled "paramiko" library (on Mac OS X,
and Windows) was updated to version, which helps solve this
problem, as it adds known support for OpenSSL keys.

Thank you for the bug report.