Bug #84717 SSH Connection error
Submitted: 30 Jan 2017 11:04 Modified: 4 Jan 2019 13:49
Reporter: Howard Nodine Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.3.8 OS:Linux (CentOS Linux release 7.3.1611 Core)
Assigned to: CPU Architecture:Any
Tags: WBBugReporter

[30 Jan 2017 11:04] Howard Nodine 
Description:
After a recent update, Workbench fails to connect to remote hosts over an SSH tunnel. This seems to be due to the way that paramiko requires certain parameters for certain types of encryption. (Specifically, AES based ciphers.) 

How to repeat:
Attempt to connect to a remote host using a Standard TCP/IP over SSH connection. 
If the server suggests an AES based cipher, the connection will fail. The error in the logs is:
[ERR][sshtunnel.py:notify_exception_error:234]: Traceback (most recent call last):
  File "/usr/share/mysql-workbench/sshtunnel.py", line 302, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key)
  File "/usr/lib/python2.7/site-packages/paramiko/client.py", line 338, in connect
    t.start_client()
  File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 492, in start_client
    raise e
ValueError: CTR mode needs counter parameter, not IV

Suggested fix:
A quick fix is to change the default cypher on the target machine's SSH server (blowfish-cbc works nicely). I think this is actually a problem that is caused by a change in the behavior of the python paramiko library, though. I marked the bug as serious since I believe many distributions have AES ciphers as the defaults for SSHD.
[31 Jan 2017 12:32] MySQL Verification Team 
Please provide the output of:

yum info python2-crypto

Thanks.
[31 Jan 2017 13:06] Howard Nodine 
Installed Packages
Name        : python2-crypto
Arch        : x86_64
Version     : 2.6.1
Release     : 13.el7
Size        : 2.2 M
Repo        : installed
From repo   : epel-testing
Summary     : Cryptography library for Python 2
URL         : http://www.pycrypto.org/
License     : Public Domain and Python
Description : PyCrypto is a collection of both secure hash functions (such as MD5 and
            : SHA), and various encryption algorithms (AES, DES, RSA, ElGamal, etc.).
            : 
            : This is the Python 2 build of the package.
[2 Feb 2017 12:28] MySQL Verification Team 
Thank you for the feedback. Please try to change python2-crypto from epel-testing for the epel one as workaround. Thanks.
[6 Feb 2017 16:25] David Wasson 
I get the same error and have the package installed from epel repo.

Output of yum info python2-crypto:
Name        : python2-crypto
Arch        : x86_64
Version     : 2.6.1
Release     : 13.el7
Size        : 2.2 M
Repo        : installed
From repo   : epel
Summary     : Cryptography library for Python 2
URL         : http://www.pycrypto.org/
License     : Public Domain and Python
Description : PyCrypto is a collection of both secure hash functions (such as
            : MD5 and SHA), and various encryption algorithms (AES, DES, RSA,
            : ElGamal, etc.).
            : 
            : This is the Python 2 build of the package.
[16 Feb 2017 19:16] Greg Blumenthal 
Same problem on Linux Mint 18 (Ubuntu 16.04)

Package: python-crypto                   
State: installed
Automatically installed: no
Version: 2.6.1-6ubuntu0.16.04.1
Priority: optional
Section: python
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Uncompressed Size: 1,421 k
Depends: python (< 2.8), python (>= 2.7~), python:any (>= 2.7.5-5~), libc6 (>= 2.14), libgmp10
Suggests: python-crypto-dbg, python-crypto-doc
Conflicts: python-crypto:i386
Provides: python2.7-crypto
Description: cryptographic algorithms and protocols for Python
 A collection of cryptographic algorithms and protocols, implemented for use from Python. Among the contents of the
 package: 
 
 * Hash functions: HMAC, MD2, MD4, MD5, RIPEMD160, SHA, SHA256. 
 * Block encryption algorithms: AES, ARC2, Blowfish, CAST, DES, Triple-DES. 
 * Stream encryption algorithms: ARC4, simple XOR. 
 * Public-key algorithms: RSA, DSA, ElGamal. 
 * Protocols: All-or-nothing transforms, chaffing/winnowing. 
 * Miscellaneous: RFC1751 module for converting 128-bit keys into a set of English words, primality testing, random number
   generation.
Homepage: http://www.pycrypto.org/
[16 Feb 2017 19:20] Greg Blumenthal 
This caused it:

python-crypto (2.6.1-6ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: throw exception when IV used with ECB or CTR
    - debian/patches/CVE-2013-7459.patch: force exception when IV used ECB/CTR
    - CVE-2013-7459.patch

 -- Emily Ratliff <emily.ratliff@canonical.com>  Tue, 14 Feb 2017 16:05:02 -0600
[16 Feb 2017 20:12] Greg Blumenthal 
Note: blowfish and arcfour are NOT accceptable workarounds
[17 Feb 2017 9:17] Peep Puijenbroek 
This is also happening on 6.3.9

09:55:57 [INF][      WBContext]: Connection to PROD cancelled by user: Tunnel connection cancelled
09:55:59 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
09:55:59 [INF][     SSH tunnel]: Opening SSH tunnel to 185.87.249.139
09:56:00 [ERR][sshtunnel.py:notify_exception_error:235]: Traceback (most recent call last):
  File "/usr/share/mysql-workbench/sshtunnel.py", line 303, in _connect_ssh
    look_for_keys=has_key, allow_agent=has_key, timeout=SSH_CONNECTION_TIMEOUT)
  File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 325, in connect
    t.start_client()
  File "/usr/lib/python2.7/dist-packages/paramiko/transport.py", line 492, in start_client
    raise e
ValueError: CTR mode needs counter parameter, not IV

09:56:00 [INF][     SSH tunnel]: TunnelManager.wait_connection authentication error: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
09:56:00 [ERR][     SSH tunnel]: Authentication error opening SSH tunnel: Authentication error, unhandled exception caught in tunnel manager, please refer to logs for details
09:56:02 [INF][      WBContext]: Connection to TEST cancelled by user: Tunnel connection cancelled
[17 Feb 2017 10:01] MySQL Verification Team 
https://bugs.mysql.com/bug.php?id=85041 marked as duplicate of this one.
[17 Feb 2017 10:48] Marcin Szalowicz 
Hello, 
as a workaround please try to update paramiko manually according to this manual:
http://mysqlworkbench.org/2015/03/paramiko-update-tutorial/
Let us know if this works for you.
[17 Feb 2017 19:06] Zlatko Zlatev 
Manually updating paramiko to 2.1.1 resolved it for me. Thanks.
[17 Feb 2017 23:23] MySQL Verification Team 
https://bugs.mysql.com/bug.php?id=85057 marked as duplicate of this one.
[30 Mar 2017 10:21] mario gomes 
I'm also experiencing this problem on Windows both x86 and x64 versions, and if I try to update paramiko to 2.1.1 or 2.1.2, I get a different error saying "cannot start ssh tunnel manager".

The log shows:
[ERR][python]: Error running file C:\Program Files\MySQL\MySQL Workbench 6.3 CE\sshtunnel.py
[WRN][]: Tunnel manager could not be executed

So for my the workaround its not working.
[23 Jun 2017 15:41] Mio Taalas 
Can confirm

Tested on windows 7 x64 workbench 6.3.9
Using mySQL 5.5.5-0+deb8u1 server on Raspbian

Tried to manually replace paramiko with newer one but gives new error.
[17 Oct 2018 9:36] Marnus van Niekerk 
Setting the cyphers (server side) solved it for me with Mint 19 on client side.

Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr
[4 Jan 2019 13:49] Marcin Szalowicz 
Posted by developer:
 
Workbench doesn't use Paramiko anymore.