Attempting to connect to EC2 serial console via ssh returns "no acceptable ciphers"



I had a working python 3 script (with boto3, and paramiko) that could connect to an EC2 instance via the serial console over paramiko ssh. However, in early December 2023 the script stopped working and I started getting the error message “no acceptable ciphers”.

The script basically follows these steps:

  1. Construct the serial console url: <instance_id>.port0@serial-console.ec2-instance-connect.<region>.aws
  2. Read in my local id_rsa_pub file
  3. Create a EC2 boto3 instance ec2 = boto3.client('ec2')
  4. Check that I have the right AMI permission ec2.get_serial_console_access_status(DryRun=False)
  5. Create an ec2-instance-connect: ec2client = boto3.client('ec2-instance-connect')
  6. Push my public key to my ec2 instance: ec2client.send_serial_console_ssh_public_key(InstanceId=instance_id, SerialPort=0, SSHPublicKey=SSHPublicKey)
  7. Create a paramiko instance: ssh_handle = paramiko.SSHClient()
  8. Set SSH policy for paramiko: ssh_handle.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  9. Load my pem file for parimko: privkey = paramiko.RSAKey.from_private_key_file(pem_path)
  10. Attempt to SSH connect to the instance: ssh_handle.connect(hostname=hostname, username=username, pkey=privkey, timeout=connect_timeout)

Step 10 causes an exception with the following error line: paramiko.ssh_exception.IncompatiblePeer: Incompatible ssh server (no acceptable ciphers)

or if I rerun the script two quickly, I see the exception regarding only allowing one connection at a time.

Thank you for reading this far, and in advanced for any assistance you can provide, Ian

asked 3 months ago277 views
1 Answer

This error typically occurs when there is a mismatch between the SSH ciphers supported by the client and server.

Here are a few things you can try:

  1. Double check that your EC2 instance is running an up-to-date Linux distribution that supports modern ciphers like aes128-ctr and aes256-ctr. Older distributions may only support weaker ciphers.

  2. Explicitly set the ciphers argument when connecting with paramiko:

ciphers = 'aes128-ctr,aes256-ctr'
ssh_handle.connect(..., ciphers=ciphers) 
  1. Upgrade botocore and boto3 to latest versions in case older versions had issues negotiating ciphers.

  2. Try connecting to the instance using regular SSH (not serial console) to see if you get the same error. This can help narrow down if it's an EC2 serial console issue or general SSH cipher mismatch.

  3. Verify the security groups allow inbound SSH from your IP address on port 22.

  4. Check the EC2 console to see if there are any scheduled events or changes that could have triggered an OS update or config change around the time it stopped working.

answered 3 months ago
  • Thank you for your quick reply.

    Please see my response to each of your points below:

    1. The instance I am running does not provide ssh or even network support. I have been connecting to them over using an ssh connection to the virtual serial port. Note, that the command line of my instance is available if I use the AWS EC2 virtual serial console webpage. I also know that I can't do both at the same time.

    2. I will look into this.

    3. I am currently using the following python packages: boto3==1.34.19 botocore==1.34.19 paramiko==3.4.0

    4. I have tried that and got the same error.

    5. I have started an instance that does have ssh support, and I am able to connect to that so I don't think it a firewall or permission issue.

    6. I will look into this further.

  • I setup paramiko to be more verbose and now I get the following output:

    DEBUG:paramiko.transport:=== Key exchange possibilities === DEBUG:paramiko.transport:kex algos: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, DEBUG:paramiko.transport:server key: rsa-sha2-256, rsa-sha2-512, ssh-rsa DEBUG:paramiko.transport:client encrypt: DEBUG:paramiko.transport:server encrypt: DEBUG:paramiko.transport:client mac: hmac-sha2-256, hmac-sha1, hmac-sha1-96 DEBUG:paramiko.transport:server mac: hmac-sha2-256, hmac-sha1, hmac-sha1-96 DEBUG:paramiko.transport:client compress: none DEBUG:paramiko.transport:server compress: none DEBUG:paramiko.transport:client lang: <none> DEBUG:paramiko.transport:server lang: <none> DEBUG:paramiko.transport:kex follows: False DEBUG:paramiko.transport:=== Key exchange agreements === DEBUG:paramiko.transport:Strict kex mode: True DEBUG:paramiko.transport:Kex: ecdh-sha2-nistp256 DEBUG:paramiko.transport:HostKey: rsa-sha2-512 ERROR:paramiko.transport:Exception (client): Incompatible ssh server (no acceptable ciphers)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions