Bug #74658 Workbench cant establish ssh tunnel if the host is running Openssh 6.7 or newer
Submitted: 1 Nov 2014 15:14 Modified: 17 Oct 2015 22:02
Reporter: sam maier Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.2.5 and lower (and higher) OS:Any (both Mac & Windows)
Assigned to: CPU Architecture:Any
Tags: Openssh6.7

[1 Nov 2014 15:14] sam maier 
Description:
If you try to connect to mysql TCP/IP over ssh to a host that is running openssh 6.7, the connection will fail with the following error message:

MAC OS 10.9:

15:31:29 [INF][     SSH tunnel]: Starting tunnel
15:31:30 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
15:31:42 [INF][     SSH tunnel]: Opening SSH tunnel to X.X.X.X:22
16:03:11 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
16:03:18 [INF][     SSH tunnel]: Opening SSH tunnel to X.X.X.X:22
16:03:19 [INF][     SSH tunnel]: TunnelManager.wait_connection authentication error: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
16:03:19 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
16:03:19 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "/Applications/MySQLWorkbench.app/Contents/Resources/sshtunnel.py", line 265, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 301, in connect
    t.start_client()
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/transport.py", line 461, in start_client
    raise e
SSHException: Incompatible ssh peer (no acceptable kex algorithm)

16:03:21 [INF][      WBContext]: Connection to HelleWolke cancelled by user: Tunnel connection cancelled

Windows 8.1:

15:50:54 [DB1][sshtunnel.py:wait_connection:446]: INFO: Connecting to SSH server at X.X.X.X:22...
15:50:54 [WRN][sshtunnel.py:_connect_ssh:259]: IOError, probably caused by file C:\Users\XXXX\AppData\Roaming\MySQL\Workbench\ssh\known_hosts not found, the message was: [Errno 2] No such file or directory: u'C:\\Users\\XXXXX\\AppData\\Roaming\\MySQL\\Workbench\\ssh\\known_hosts'
15:50:54 [DB1][            grt]: No handlers could be found for logger "paramiko.transport"
15:50:54 [DB2][sshtunnel.py:notify:228]: tunnel_54756: ERROR Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
15:50:54 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "C:\Program Files\MySQL\MySQL Workbench 6.2 CE\sshtunnel.py", line 265, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "C:\Program Files\MySQL\MySQL Workbench 6.2 CE/python/site-packages\paramiko\client.py", line 301, in connect
    t.start_client()
  File "C:\Program Files\MySQL\MySQL Workbench 6.2 CE/python/site-packages\paramiko\transport.py", line 461, in start_client
    raise e
SSHException: Incompatible ssh peer (no acceptable kex algorithm)

15:50:54 [DB1][sshtunnel.py:do_run:225]: Leaving tunnel thread 54756
15:50:54 [DB1][sshtunnel.py:wait_connection:446]: ERROR: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
15:50:54 [DB1][sshtunnel.py:wait_connection:454]: returning from wait_connection(54756): Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
15:50:54 [DB1][     SSH tunnel]: TunnelManager.wait_connection() returned Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
15:50:54 [INF][     SSH tunnel]: TunnelManager.wait_connection authentication error: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
15:50:54 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
15:50:54 [DB1][ mforms managed]: Showing an error to the user

How to repeat:
create a new connection, or open an exsiting one,

select contectiontype "Standart TCP/IP over SSH"

enter valid credentials, press test Connection.

Suggested fix:
update to the latest paramiko (1.15)
[4 Nov 2014 16:04] Kevin Andrews 
I can confirm this is happing for me running Fedora 20 once all updates have been applied on a fresh OS install with workbench 6.2.3.12321 64 bit.

A workaround for anyone looking:

sudo yum downgrade python-paramiko

On fedora this produces:

Installing : python-paramiko-1.10.1-2.fc20.noarch                                                                                                                                                            1/2 
  Cleanup    : python-paramiko-1.15.1-1.fc20.noarch                                                                                                                                                            2/2 
  Verifying  : python-paramiko-1.10.1-2.fc20.noarch                                                                                                                                                            1/2 
  Verifying  : python-paramiko-1.15.1-1.fc20.noarch

So downgrading from python-paramiko-1.15.1-1 to 1.10.1-2 enables ssh tunnels to work again, without having to downgrade openssh openssh-clients openssh-server from 6.7 to 5.3.
[4 Nov 2014 23:15] sam maier 
according to this issue https://github.com/paramiko/paramiko/issues/423 this problem should be fixed in version 1.15.1 of paramiko, but im not abel to confirm this atm.
[6 Nov 2014 15:03] Jan Hajeahfff 
The problem seems to be the intrduction of ECDH key exchange algorithms in recent openssh versions.  The (ancient) version of paramiko (1.7.something) that MySQLWorkbench uses internally doen't support this.
Should be easy to fix (by the devs) by updating the internal paramiko version in the Workbench.

As a workaround, you can add the following to your /etc/ssh/sshd_config on the server to disable ECDH (which is not really a nice longterm solution, as there are many reason to use EC over RSA):

 KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[6 Nov 2014 18:24] Jan Hajeahfff 
And a real fix: 
 - replace the included version of paramiko by a new (HEAD) version from https://github.com/paramiko/paramiko (in case of OSX, it goes into /Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko)
 - add the python-ecdsa library from https://github.com/warner/python-ecdsa to the "libraries" dir
 - patch the file wb_admin_ssh.py as follows:

--- ./wb.admin/backend/wb_admin_ssh.py	2014-09-15 18:12:58.000000000 +0200
+++ /Applications/MySQLWorkbench.app/Contents/Resources/plugins/wb_admin_ssh.py	2014-11-06 18:11:30.000000000 +0100
@@ -73,20 +73,22 @@
     import threading
     OPEN_CHANNEL_TIMEOUT = 15

-    def wba_open_channel(self, kind, dest_addr=None, src_addr=None, timeout = None):
+    def wba_open_channel(self, kind, dest_addr=None, src_addr=None, window_size=None, max_packet_size=None):
         chan = None
         if not self.active:
             # don't bother trying to allocate a channel
             return None
         self.lock.acquire()
         try:
+            window_size = self._sanitize_window_size(window_size)
+            max_packet_size = self._sanitize_packet_size(max_packet_size)
             chanid = self._next_channel()
             m = Message()
             m.add_byte(chr(MSG_CHANNEL_OPEN))
             m.add_string(kind)
             m.add_int(chanid)
-            m.add_int(self.window_size)
-            m.add_int(self.max_packet_size)
+            m.add_int(window_size)
+            m.add_int(max_packet_size)
             if (kind == 'forwarded-tcpip') or (kind == 'direct-tcpip'):
                 m.add_string(dest_addr[0])
                 m.add_int(dest_addr[1])
@@ -100,11 +102,10 @@
             self.channel_events[chanid] = event = threading.Event()
             self.channels_seen[chanid] = True
             chan._set_transport(self)
-            chan._set_window(self.window_size, self.max_packet_size)
+            chan._set_window(window_size, max_packet_size)
         finally:
             self.lock.release()
         self._send_user_message(m)
-        ts = time.time() + OPEN_CHANNEL_TIMEOUT if (timeout is None) else timeout
         while True:
             event.wait(0.1);
             if not self.active:

and voila, it works again with recent versions of openssh.
[10 Nov 2014 19:28] MySQL Verification Team 
Thank you for the bug report.
[1 Dec 2014 10:52] MySQL Verification Team 
http://bugs.mysql.com/bug.php?id=75051 marked duplicate of this one.
[1 Dec 2014 12:26] Bart Ducheyne 
I have same problem with ower server, running OpenSSH_6.0p1.

Since the OpenSSH is updated I'm not able to connect anymore with SSH.
I'm using mysql-workbench-community-6.2.4-winx64 and tried some older versions to, but always get same error:

12:00:02 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
12:00:02 [INF][     SSH tunnel]: Opening SSH tunnel to xxxxxxxxxxxxxx:22
12:00:03 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "E:\Users\Bart\Desktop\MySQL Workbench 6.1.7 CE\sshtunnel.py", line 265, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "E:\Users\Bart\Desktop\MySQL Workbench 6.1.7 CE/python/site-packages\paramiko\client.py", line 332, in connect
    self._auth(username, password, pkey, key_filenames, allow_agent, look_for_keys)
  File "E:\Users\Bart\Desktop\MySQL Workbench 6.1.7 CE/python/site-packages\paramiko\client.py", line 493, in _auth
    raise saved_exception
AuthenticationException: Authentication failed.

12:00:03 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Authentication error. Please check that your username and password are correct and try again.
Details (Original exception message):
Authentication failed, please check credentials.
Please refer to logs for details
[12 Dec 2014 19:46] Daniel McDermott 
I am also unable to use the mysql workbench due to the latest bug with openssh. The suggestion, [6 Nov 18:24] Jan Hajeahfff, did not in fact allow workbench to work correctly. Workbench is broken with ssh connections until it is patched
[13 Jan 2015 1:26] Andrew Bodis 
curious how this is a "non-critical" issue when it seriously impedes ones ability to work with DB's behind SSH?
[13 Jan 2015 12:54] David Lopez Zajara 
I'm agree with the last comments. Workbench is unusable if they cannot connect behind SSH.

Also, confirmed on 6.2.4 version.
Please change severity, or better, fix it. They are a fix on the bug report itself.
[15 Jan 2015 19:57] Brad Richards 
This is an important bug. After updating security on our web servers, they are now unreachable with MySQL Workbench. In order to work with the databases, one must create a potential security breach on the web servers.

Please fix soon!
[15 Jan 2015 21:11] sam maier 
due to the fact that openssh 6.7 is more common now i increased the Severity
[19 Jan 2015 15:41] Mike Reid 
This issue also impacts v6.2.4 of Workbench. Looking forward to the patch.
[3 Feb 2015 20:59] eric pfeiffer 
I followed the instructions from [6 Nov 2014 18:24] Jan Hajeahfff

However being on an ubuntu/14.04-based linux distribution i modified the steps as following:
   
 - installed newer version of mysql-connector-python, mysql-utilities & mysql-workbench (v6.2.4) from MySQL download page (debian packages)
 - installed newer version of python-paramiko from http://security.ubuntu.com/ubuntu/pool/main/p/paramiko/python-paramiko_1.15.1-1_all.deb (no dependency issues) 
 - installed newer version of python-ecdsa from http://security.ubuntu.com/ubuntu/pool/main/p/python-ecdsa/python-ecdsa_0.11-1_all.deb

 - patch the file wb_admin_ssh.py as follows:

--- /usr/lib/mysql-workbench/modules/wb_admin_ssh.bak	2015-02-03 21:24:30.964389491 +0100
+++ /usr/lib/mysql-workbench/modules/wb_admin_ssh.py	2015-02-03 21:39:30.876408619 +0100
@@ -73,7 +73,7 @@
     import threading
     OPEN_CHANNEL_TIMEOUT = 15
 
-    def wba_open_channel(self, kind, dest_addr=None, src_addr=None, timeout = None):
+    def wba_open_channel(self, kind, dest_addr=None, src_addr=None, window_size=None, max_packet_size=None):
         chan = None
         if not self.active:
             # don't bother trying to allocate a channel
@@ -88,6 +88,11 @@
             if (server_version_str2tuple(paramiko.__version__) <= (1, 14, 99)):
                 m.add_int(self.window_size)
                 m.add_int(self.max_packet_size)
+            elif
+                window_size = self._sanitize_window_size(window_size)
+                max_packet_size = self._sanitize_packet_size(max_packet_size)
+                m.add_int(window_size)
+                m.add_int(max_packet_size)
             if (kind == 'forwarded-tcpip') or (kind == 'direct-tcpip'):
                 m.add_string(dest_addr[0])
                 m.add_int(dest_addr[1])
@@ -103,10 +108,13 @@
             chan._set_transport(self)
             if (server_version_str2tuple(paramiko.__version__) <= (1, 14, 99)):
                 chan._set_window(self.window_size, self.max_packet_size)
+            elif
+                chan._set_window(window_size, max_packet_size)
         finally:
             self.lock.release()
         self._send_user_message(m)
-        ts = time.time() + OPEN_CHANNEL_TIMEOUT if (timeout is None) else timeout
+        if (server_version_str2tuple(paramiko.__version__) <= (1, 14, 99)):
+            ts = time.time() + OPEN_CHANNEL_TIMEOUT
         while True:
             event.wait(0.1);
             if not self.active:
[3 Feb 2015 21:32] eric pfeiffer 
I just realized that the given patch removes all server administration functions, so should not be considered a patch unless you don't need them. However, it enables normal queries.
[3 Feb 2015 23:10] eric pfeiffer 
Finally that one actually works on v6.2.4

Attachment: wb_admin_ssh.patch (text/x-patch), 1.62 KiB.
[22 Feb 2015 14:09] Ruediger Hahn 
Will there be a fix for the Windows version? 

Or is it possible in Windows to patch an compile the modules files?
[5 Mar 2015 3:06] Dave Whitla 
Is there any timeline for a fix after 4 months?

Thanks
[9 Mar 2015 11:28] David Lopez Zajara 
Bug confirmed on 6.2.5. Please update.

Also, if they are a fix, and that's a important bug, why isn't updated the library on the new version?

I have about 5 remote servers with MySQL, and I can only connect to one of them. The app is really unusable now because of this.
[9 Mar 2015 11:33] David Lopez Zajara 
Confirmed on development version 6.3.1 beta.
[10 Mar 2015 19:15] sam maier 
updated the version number after testing to the current stable 6.2.5.
hope it helps
[19 Apr 2015 15:01] Ruediger Hahn 
I can confirm this bug for development version 6.3.2.0 build 444.

Will this ever be fixed? Is even any responsible person reading this?

Who has this bug to be assigned to?
[27 Apr 2015 23:14] MySQL Verification Team 
http://bugs.mysql.com/bug.php?id=76857 marked as duplicate of this one.
[28 Apr 2015 11:58] David Lopez Zajara 
When will this bug be resolved? Now with the update of Debian 8 Stable there's more distributions with SSH 6.7.

This bug it's a bit old, please do something with it. There's no workaround for working with remote mysql servers without SSH (At least, if you are a system administrator and know something of security).
[2 May 2015 23:43] David Brown 
Aargh... this bug just bit me on a new Ubuntu 15.04 server. Thanks, Jan Hajeahfff for the workaround; agree that it's not very nice to have to do this.
[3 May 2015 22:52] NOT_FOUND NOT_FOUND 
Hi guys

This problem seems to be solved in paramiko 1.15. Please can you implement that correction.
[3 May 2015 22:59] NOT_FOUND NOT_FOUND 
Hi guys

Acording to the paramiko github repositoire (issue 423) This problem is caused by OpenSSH 6.7 

https://github.com/paramiko/paramiko/issues/423

Also, this problem seems to be solved in paramiko 1.15.1 and following versions.

Please can you implement that correction.

Cheers
[6 May 2015 17:19] David Lopez Zajara 
Confirmed on the new GA version, 6.3.3.0 build 592.

When will be resolved? These bug are reported since more than 6 months ago.
[29 May 2015 5:48] Mike H 
You can install the latest versions of the following:

- paramiko from https://github.com/paramiko/paramiko
- ecdsa from https://pypi.python.org/pypi/ecdsa

On OS X copy paramiko and ecdsa libraries to:

/Applications/MySQLWorkbench.app/Contents/Resources/libraries

Tested on OS X 10.10.4 (14E26a) with MySQL Workbench 6.3.3.0 (592) against Debian 8 Jessie with OpenSSH 6.7
[3 Jun 2015 8:50] Fer Llings 
> [29 May 5:48] Mike Hadrup
> On OS X copy paramiko and ecdsa libraries to:
> /Applications/MySQLWorkbench.app/Contents/Resources/libraries

It does not work:

[WRN][wb_admin_ssh.py:<module>:156]: Paramiko unavailable.

Did I forgot something?
[3 Jun 2015 9:26] Mike H 
On OS X try the following:

- download zip from https://github.com/paramiko/paramiko and unzip
- copy paramiko from paramiko-master to /Applications/MySQLWorkbench.app/Contents/Resources/libraries (replace existing)
- download ecdsa-0.13.tar.gz from https://pypi.python.org/pypi/ecdsa#downloads and unzip
- copy ecdsa from ecdsa-0.13 to /Applications/MySQLWorkbench.app/Contents/Resources/libraries
[3 Jun 2015 13:45] Fer Llings 
Thanks, It's working now.

So do not remove the full paramiko folder. Only replace the existing files.
[3 Jun 2015 14:45] Mike H 
> So do not remove the full paramiko folder. Only replace the existing files.

Not really... you are replacing the full paramiko library with the copy from paramiko-master.
[3 Jun 2015 15:27] Mike H 
Also tested on Windows 10 64 bit with MySQL Workbench 6.3.3.0 (592) msi and noinstall against Debian 8 Jessie with OpenSSH 6.7

- download zip from https://github.com/paramiko/paramiko and unzip
- copy paramiko from paramiko-master to python/site-packages/ (replace existing paramiko)
- download ecdsa-0.13.tar.gz from https://pypi.python.org/pypi/ecdsa#downloads and unzip
- copy ecdsa from ecdsa-0.13 to python/site-packages/

You can use 7zip from http://www.7-zip.org/ for the ecdsa-0.13.tar.gz gizpped tar archive.

Note: Visual C++ Redistributable Packages for Visual Studio 2013 is required on Windows 10 from: https://www.microsoft.com/en-us/download/details.aspx?id=40784
[3 Jun 2015 15:38] Mike H 
Please see feature request: http://bugs.mysql.com/bug.php?id=77235
[3 Jun 2015 18:58] Ano Nymous 
On Windows, follow Mike Hadrup's solution:

> [3 Jun 9:26] Mike Hadrup
> On OS X try the following:
>
> - download zip from https://github.com/paramiko/paramiko and unzip
> - copy paramiko from paramiko-master to 
> /Applications/MySQLWorkbench.app/Contents/Resources/libraries (replace existing)
> - download ecdsa-0.13.tar.gz from https://pypi.python.org/pypi/ecdsa#downloads and unzip
> - copy ecdsa from ecdsa-0.13 to /Applications/MySQLWorkbench.app/Contents/Resources/libraries

just instead of /Applications/MySQLWorkbench.app/Contents/Resources/libraries use c:\Program Files\MySQL\MySQL Workbench 6.3 CE\python\site-packages\ folder ;)
Tested working on MySQL Workbench v. 6.3.3.0 build 592 (64b) on Windows 8.1 64b.
[5 Jun 2015 17:52] David Lopez Zajara 
These fix doesn't work (At least, on Windows 7). The log are:

19:49:57 [INF][     SSH tunnel]: Starting tunnel
19:49:57 [ERR][         python]: Error running file C:\Program Files\MySQL\MySQL Workbench 6.3 CE\sshtunnel.py
19:49:57 [WRN][               ]: Tunnel manager could not be executed
19:49:57 [ERR][      SqlEditor]: SQL editor could not be connected: Cannot start SSH tunnel manager
19:49:57 [ERR][      SqlEditor]: Your connection attempt failed for user 'user' from your host to server at x.x.x.x:xxxx:
  Cannot start SSH tunnel manager

Also, I cannot apply the patch for wb_admin_ssh.py provided on this thread, because the version of this file on WB 6.3 have changed a lot.
[5 Jun 2015 17:55] Mike H 
My windows instructions above work on Windows 7.
[5 Jun 2015 18:10] David Lopez Zajara 
Ok... that's my fault. I haven't extracted correctly ecdsa.

Thanks,
[10 Jun 2015 4:30] Dmitry Brant 
The above workarounds haven't worked for me (Windows 7 64-bit)...
Still getting this error:

00:25:28 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "C:\Program Files\MySQL\MySQL Workbench 6.3 CE\sshtunnel.py", line 297, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "C:\Program Files\MySQL\MySQL Workbench 6.3 CE/python/site-packages\paramiko\client.py", line 324, in connect
    t.start_client()
  File "C:\Program Files\MySQL\MySQL Workbench 6.3 CE/python/site-packages\paramiko\transport.py", line 406, in start_client
    raise e
SSHException: Incompatible ssh peer (no acceptable kex algorithm)
[10 Jun 2015 23:16] Mike H 
Check again as they do work... you're probably missing ecdsa
[11 Jun 2015 0:10] Dmitry Brant 
I've checked and double-checked that I copied both the latest paramiko and ecdsa into site-packages. The error still hasn't changed. :(
[11 Jun 2015 0:12] Mike H 
What are you connecting to?
[11 Jun 2015 0:35] Dmitry Brant 
A mysql server through an ssh tunnel. It's working just fine over ssh in a console. The server is using OpenSSH_5.9p1 Debian-5ubuntu1.4.
[11 Jun 2015 2:24] Mike H 
This issue is about OpenSSH 6.7 or newer.
[11 Jun 2015 3:33] Dmitry Brant 
Ah, gotcha. I ended up solving the issue by using an as-yet-unmerged pull request for paramiko:
https://github.com/zamiam69/paramiko/tree/add_sha2_support
[14 Jun 2015 11:24] Rob Fle 
Same Problem Server SSH version OpenSSH_6.6.1p1 Ubuntu server
Thought initially was a key verification failure since I recently formatted and updated the server. Then Found this thread Fix for me was:

As noted above was to replace the paramiko with this one the https://github.com/zamiam69/paramiko/tree/add_sha2_support

The one https://github.com/paramiko/paramiko  did not work for me but the above version did. 

Tested on Mac OSX 10.10.3
[3 Jul 2015 23:33] MySQL Verification Team 
http://bugs.mysql.com/bug.php?id=77614 marked as duplicate of this one.
[13 Jul 2015 14:03] Alexander Wiedergold 
Open as root file: /etc/ssh/sshd_config 
Add on End of file line: 

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 

Save file

Restart sshd.service with command: 
# /bin/systemctl restart sshd.service
[13 Jul 2015 14:48] David Lopez Zajara 
Changing ssh security parameters isn't a bug solution...
Also, if they're available a fix since some months ago, why they doesn't use it?

On 6.3 version, paramiko libs are changed, but, with another invalid version for connection to newer ssh daemons. Why they update the library to an older version?

I think, the developer team needs to face this bug with more priority, because, at this moment, this isn't something who affects to a few persons. I can tell, these problem are very serious, any linux administrator with some concerns about security close the mysql port to everyone, and, lot of servers are remotely administrated.
[16 Jul 2015 1:04] David Glasser 
Confirmed broken on 6.3.4.0 build 828. What a frustrating bug!
[23 Jul 2015 15:27] Monte Ohrt 
Confirmed bug on OSX, workbench version 6.3.4 build 828. I tried upgrading paramiko to 1.15.2 and adding ecdsa 0.13, but to no avail. Also tried patching the wb_admin_ssh.py but patch did not line up. Patched manually. Same errors:

09:51:30 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "/Applications/MySQLWorkbench.app/Contents/Resources/sshtunnel.py", line 298, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 301, in connect
    key_filenames = [key_filename]
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/transport.py", line 461, in start_client
    return
SSHException: Incompatible ssh peer (no acceptable kex algorithm)
[31 Jul 2015 0:34] MySQL Verification Team 
http://bugs.mysql.com/bug.php?id=77893 marked as duplicate of this one.
[31 Jul 2015 5:08] Alexandr B 
client:
Ubuntu 15.04
python-paramiko 1.15.1-1
Workbench 6.3.4.0 build 828

server1, sever2 (debian): openssh-server 6.0p1-4+deb7u2

I can connect through ssh to server1 and then connect to mysql server on the server2, but i can't connect though ssh to server2 and then connect to mysql at localhost.

------------

server3 (debian): openssh-server 6.7p1-5
i can connect through ssh to server3 and then connect to mysql at localhost successfully from linux but not windows.

I've added this line to sshd_config at server3 and it makes the trick for me for windows.

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[7 Aug 2015 22:56] Tom Slominski 
I've experienced this issue, too. I didn't manage to fix MySQL Workbench itself on my Mac, but if you create an independent SSH tunnel in the terminal like so (replace username, server and maybe the second server and last port as needed):

ssh username@server -L 3307:localhost:3306 -N

Then, you can simply use MySQL Workbench to connect to a local MySQL server at port 3307, with the username and password for the remote MySQL server. Simple enough, but I didn't think of it until after I wasted a lot of time on this issue...
[17 Oct 2015 22:02] Philip Olson 
Posted by developer:
 
Fixed as of the upcoming MySQL Workbench 6.3.5 release, and here's the changelog entry:

The bundled SSH library (paramiko) was not capable of supporting the
key exchange algorithm (ecdsa) added in OpenSSL 6.7.

Thank you for the bug report.
[22 Oct 2015 18:19] Mike Reid 
NOTE that the bundled version of paramiko in v6.3.5 still does _not_ allow connecting to some hardened SSH connections requiring sha256 based hmac/kex:

e.g.

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

While it has not been merged upstream to the master paramiko project yet, the proposed sha256 support patches below correct the issue:

https://github.com/paramiko/paramiko/pull/356/files
[25 Oct 2015 16:46] fred flint 
6.3.5 32bit does appear to work with putty keys on 64bit windows. Thanks.

However, 6.3.5 64bit does not work on 64bit Windows.
[7 Jan 2016 11:48] Neil Skilling 
Is this issue resolved for Mac OS X? I am still seeing the same issue on Mac OS X 10.11.2 and Community 6.3.5 build 201 64 bits. 

This is following a complete removal of previous versions and deleting the directory under Application Support completely. 

Where are the relevant log files on Mac?
[7 Jan 2016 12:41] Jan Hajeahfff 
I'm also still having this issue on linux in version 6.3.6-1ubu1510
[7 Jan 2016 13:29] Tom Slominski 
Just updated from 6.3.4 to 6.3.6 (build 511 CE 64 bits) and I'm still getting (what I think is) the same issue.

Here's my log from ~username/Library/Application Support/MySQL/Workbench/log/wb.log after attempting to connect to the server:

13:24:46 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
13:24:51 [INF][     SSH tunnel]: Opening SSH tunnel to [server IP and port]
13:24:53 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "/Applications/MySQLWorkbench.app/Contents/Resources/sshtunnel.py", line 298, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 307, in connect
    look_for_keys, gss_auth, gss_kex, gss_deleg_creds, gss_host)
  File "/Applications/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 519, in _auth
    raise saved_exception
AuthenticationException: Authentication failed.

13:24:54 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Authentication error. Please check that your username and password are correct and try again.
Details (Original exception message):
Authentication failed, please check credentials.
Please refer to logs for details

Not sure if the logs indicate that this is the same issue, but I know the password is correct, as it works when I connect through a manual SSH tunnel (I think instructions for this have already been posted here).
[7 Jan 2016 14:14] Neil Skilling 
I suspect that this problem is caused by my switching from mac ports to home brew which has installed openssl. 

I will ty uninstall the brew openssl and use the default Mac installed version.

I have tried installing MySQL Workbench using home-brew as well but that hasn't made any difference. 

Neil
[7 Jan 2016 14:21] Neil Skilling 
Now I have found the log files and using the brew installed version of 6.3.6. it looks like this is still a paramiko issue with ecdsa-sha2-nistp256 - I will try updating the paramiko version. 

13:09:25 [INF][     SSH tunnel]: Starting tunnel
13:09:25 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
13:09:25 [INF][     SSH tunnel]: Opening SSH tunnel to host
13:09:25 [ERR][sshtunnel.py:notify_exception_error:233]: Traceback (most recent call last):
  File "/opt/homebrew-cask/Caskroom/mysqlworkbench/6.3.6/MySQLWorkbench.app/Contents/Resources/sshtunnel.py", line 286, in _connect_ssh
    self._client.load_host_keys(os.path.expanduser(ssh_known_hosts_file))
  File "/opt/homebrew-cask/Caskroom/mysqlworkbench/6.3.6/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/client.py", line 121, in load_host_keys
    self._host_keys.load(filename)
  File "/opt/homebrew-cask/Caskroom/mysqlworkbench/6.3.6/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/hostkeys.py", line 99, in load
    e = HostKeyEntry.from_line(line, lineno)
  File "/opt/homebrew-cask/Caskroom/mysqlworkbench/6.3.6/MySQLWorkbench.app/Contents/Resources/libraries/paramiko/hostkeys.py", line 337, in from_line
    raise InvalidHostKey(line, e)
InvalidHostKey: (' xxxxxxx ecdsa-sha2-nistp256 , Error('Incorrect padding',))

13:09:25 [INF][     SSH tunnel]: TunnelManager.wait_connection authentication error: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
13:09:25 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
[9 May 2016 19:48] person persons last name 
Hello,

can anyone upload the patched version of "wb_admin_ssh.py"? (for windows)
I cannot figure out hot to patch it myself!

Thank you!
[12 May 2016 11:35] Marcin Szalowicz 
MySQL Workbench 6.3.7 will come with Paramiko 1.16.0 that has got support for more Ciphers.

In any case you can always try to use the latest Paramiko version which is described here:
http://mysqlworkbench.org/2015/03/paramiko-update-tutorial/
[19 May 2016 1:06] Yan WHK 
Same problem with MySQL Workbench Community 6.3.6. 

3 Years with same bug. Oracle sucks.
[23 May 2016 22:42] Yan WHK 
The solution for me:

1. Clone paramiko
2. Copy paramiko folder to MySQL Workbench folder

In Ubuntu:

    sudo apt-get install mysql-workbench
    sudo su
    mkdir /root/workspace && cd /root/workspace
    git clone https://github.com/paramiko/paramiko.git
    mv /usr/lib/mysql-workbench/modules/paramiko /usr/lib/mysql-workbench/modules/paramiko_old
    cp -r /root/workspace/paramiko/paramiko /usr/lib/mysql-workbench/modules/paramiko
    rm -rf /root/workspace/paramiko

Works in all MySQL Workbench versions.

The problem is MySQL Workbench embebed old paramiko version without support to openssh >= 6.7.