Cnnection issue - failed to exchange keys

[OpsWort]

Dear support,

We're running into a weird issue with one of our customers trying to connect to our ftp server.
They can no longer connect via sftp.

They utilize Oracle cloud global human resources, which has an ftp client.
From their support we receive the following information:
Note that error seen only when support for below 2 additional algorithms.

ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512

If we keep only 2 algos the test connection works well.

ssh-rsa,ssh-dss

So in this case, "ssh-rsa" must be chosen. However it seems like sever has a logic to choose "rsa-sha2-" algorithms if we include any of these in the list and ignoring the order in the client name list and getting failed.

This needs to be investigated at FTP side
Please engage ftp server provider ( wingftp .. ) to investigate the issue why there is error in sftp server log?

When they try to connect they do not see anything in our logs. On our end the only feedback we receive is Failed to exchange the keys.[|i]

Came across support ticket viewtopic.php?t=3950 and I'm wondering if this might be a similar issue or not.
The problem is that we have quite a few customers connecting to our environment, so we're rather careful in changing anything.

Do you have guys have any idea what might be the cause here?

Thanks in advance.

[FTP]

OK, so please recover the default host key algorithms first: <SFTPHostKey>ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>

Then try to remove the SFTP server address from known_hosts (under Oracle cloud server machine), just modify this file and remove related lines: sudo vi ~/.ssh/known_hosts

If the above methods still can't help, please have a look at this post: viewtopic.php?t=3547

[OpsWort]

Thanks for your feedback.
On our end the SFTPHostKey setting is the default, as you suggested:
<SFTPHostKey>ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>

I'll validate with the external party if they can remove the known host.

[OpsWort]

Dear,

We received feedback form the external party, removing the entry under the known hosts did not resolve the issue.

We tried to establish the SFTP connection by removing the server and then adding it back, but still, we are facing the same issue and are unable to establish the connection to SFTP.

We also shared the feedback provided by WingFTP to Oracle and have received the following response.

Please report the problem to the WingFTP server vendor and ask the vendor to completely follow RFC 4253 7.1 so when client's host key algorithm list order is ssh-rsa, rsa-sha2-256, rsa-sha2-512, ssh-rsa becomes the agreed algorithm so far as the server is configured to support ssh-rsa.
SSH server product not following RFC won't be supported.

[OpsWort]

Forgot to mention that while the removal of the SSH key did not work, we're still looking at the testing the solution suggested in viewtopic.php?t=3547. HMAC is currently allowed, but noticed the diffie helman sftp algorithm wasn't allowed. We're currently waiting for approval to test it.

Also looking trying to reproduce the problem with a different sftp client, but no luck so far.

[OpsWort]

Dear,

In the last message I mentioned that "diffie-hellman-group1-sha1" wasn't allowed for the sftp key exchange algorithms, but I must have looked over it, because it was already configured.

I did manage to reproduce the issue with a different client, Bitvise to be more specific.
On the host keys I allowed RSA/sha1, RSA/sha2-256 and RSA/sha2-512, in that order.

looking in the bitvise log I see the following messages:
- first key exchange started. (informational)
- Received host key from the service. Algorithm: RSA/SHA1.. (informational)
- getting an error: ssh connection has terminated with error. reason; error in component session/transport/kexhandler. Error class: flow, code: componentExpception, message: exception in compoent: Windows CNG (x86- with additions: SshSigToRawSig: unexpected Algorithm Length (error)

When i remove the RSA/Sha2 host key algorithm it does allow me to log in to the server:
- first key exchange started. (informational)
- Received host key from the service. Algorithm: RSA/SHA1.. (informational)
- first key exchange completed using Curse-25519@libssh. Connection encrytion aes256-ctr, integrity hmac-sha2-256

[OpsWort]

Forgot to mention that we we check the logs on the server, we receive the same message as our customer:
[02] Tue, 13 Feb 2024 09:55:36 (0553341) Connected from
[02] Tue, 13 Feb 2024 09:56:01 (0553341) Failed to exchange the keys.

[FTP]

OK, thanks for your information, we will look into this issue and try to improve it.

[FTP]

For a temporary solution, maybe you can stop the WingFTP service and modify the file "Data/settings.xml", just replace the line 40 into:

<SFTPHostKey>rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>

And then start the WingFTP service again.

[FTP]

The new version 7.3.1 fixed an issue about SFTP host key algorithm, you may try this version now: https://www.wftpserver.com/download.htm