Provisioner did not have AES_256_CBC

[victorpng]

Hi,

I faced an issue when using Terraform to spin up and setup EC2 instance.

When running, the following error appears after waiting for 5 min:

Error: Error applying plan:

1 error(s) occurred:

* aws_instance.generator: timeout - last error: ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [[email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr], server offered: [aes256-cbc]

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

The following is the config for the provisioner:

provisioner "file"{
    source="test.jar"
    destination = "/home/ec2-user/test.jar"
     connection {
       type = "ssh"
       user = "ec2-user"
       private_key = "${file("/home/ec2-user/aws-access.pem")}"
     }
   }

The version I'm using is as follows:
Terraform v0.11.7

• provider.aws v2.45.0
• provider.panos v1.6.2

I think there is an issue with Terraform ssh where it is missing ciphers.
Are there any solution / workaround for this? Thank you.

Best Regards,
Victor

[bflad]

Hi @victorpng 👋 Thank you for submitting this and sorry you are running into trouble here.

The code that handles provisioners currently lives upstream in the Terraform core repository (e.g. https://github.com/hashicorp/terraform/tree/master/builtin/provisioners) and the maintainers of this repository are not experts on this functionality. Since we cannot automatically transfer issues across GitHub organizations, unfortunately we can only close this issue here, but our best suggestion would be to open a GitHub issue upstream via https://github.com/hashicorp/terraform/issues/new/choose or if its truly a question versus a bug report or feature request to ask in the Terraform community forums where there are more people able to help. 👍

[amitmi704]

FYI - The Crypto SSH module specifically does not support AES-256-CBC, and AES-128-CBC is not a default value due to security concerns. This "fix" would be 2-part: (1) a feature request for the Crypto SSH module to add AES-256-CBC support, and (2) then would require an enhancement to Terraform Core File provisioner to be able to pass the request to use a non-standard cipher.

[victorpng]

Thank you. I will raise a feature request for the Crypto SSH module to add AES-256-CBC support first.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!