Dear support,
We're running into a weird issue with one of our customers trying to connect to our ftp server.
They can no longer connect via sftp.
They utilize Oracle cloud global human resources, which has an ftp client.
From their support we receive the following information:
Note that error seen only when support for below 2 additional algorithms.
ssh-rsa,ssh-dss,rsa-sha2-256,rsa-sha2-512
If we keep only 2 algos the test connection works well.
ssh-rsa,ssh-dss
So in this case, "ssh-rsa" must be chosen. However it seems like sever has a logic to choose "rsa-sha2-" algorithms if we include any of these in the list and ignoring the order in the client name list and getting failed.
This needs to be investigated at FTP side
Please engage ftp server provider ( wingftp .. ) to investigate the issue why there is error in sftp server log?
When they try to connect they do not see anything in our logs. On our end the only feedback we receive is Failed to exchange the keys.[|i]
Came across support ticket viewtopic.php?t=3950 and I'm wondering if this might be a similar issue or not.
The problem is that we have quite a few customers connecting to our environment, so we're rather careful in changing anything.
Do you have guys have any idea what might be the cause here?
Thanks in advance.
Cnnection issue - failed to exchange keys
-
- Site Admin
- Posts: 2091
- Joined: Tue Sep 29, 2009 6:09 am
Re: Cnnection issue - failed to exchange keys
OK, so please recover the default host key algorithms first: <SFTPHostKey>ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>
Then try to remove the SFTP server address from known_hosts (under Oracle cloud server machine), just modify this file and remove related lines: sudo vi ~/.ssh/known_hosts
If the above methods still can't help, please have a look at this post: viewtopic.php?t=3547
Then try to remove the SFTP server address from known_hosts (under Oracle cloud server machine), just modify this file and remove related lines: sudo vi ~/.ssh/known_hosts
If the above methods still can't help, please have a look at this post: viewtopic.php?t=3547
-
- Posts: 8
- Joined: Fri Dec 22, 2023 4:13 pm
Re: Cnnection issue - failed to exchange keys
Thanks for your feedback.
On our end the SFTPHostKey setting is the default, as you suggested:
<SFTPHostKey>ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>
I'll validate with the external party if they can remove the known host.
On our end the SFTPHostKey setting is the default, as you suggested:
<SFTPHostKey>ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>
I'll validate with the external party if they can remove the known host.
-
- Posts: 8
- Joined: Fri Dec 22, 2023 4:13 pm
Re: Cnnection issue - failed to exchange keys
Dear,
We received feedback form the external party, removing the entry under the known hosts did not resolve the issue.
We tried to establish the SFTP connection by removing the server and then adding it back, but still, we are facing the same issue and are unable to establish the connection to SFTP.
We also shared the feedback provided by WingFTP to Oracle and have received the following response.
Please report the problem to the WingFTP server vendor and ask the vendor to completely follow RFC 4253 7.1 so when client's host key algorithm list order is ssh-rsa, rsa-sha2-256, rsa-sha2-512, ssh-rsa becomes the agreed algorithm so far as the server is configured to support ssh-rsa.
SSH server product not following RFC won't be supported.
We received feedback form the external party, removing the entry under the known hosts did not resolve the issue.
We tried to establish the SFTP connection by removing the server and then adding it back, but still, we are facing the same issue and are unable to establish the connection to SFTP.
We also shared the feedback provided by WingFTP to Oracle and have received the following response.
Please report the problem to the WingFTP server vendor and ask the vendor to completely follow RFC 4253 7.1 so when client's host key algorithm list order is ssh-rsa, rsa-sha2-256, rsa-sha2-512, ssh-rsa becomes the agreed algorithm so far as the server is configured to support ssh-rsa.
SSH server product not following RFC won't be supported.
-
- Posts: 8
- Joined: Fri Dec 22, 2023 4:13 pm
Re: Cnnection issue - failed to exchange keys
Forgot to mention that while the removal of the SSH key did not work, we're still looking at the testing the solution suggested in viewtopic.php?t=3547. HMAC is currently allowed, but noticed the diffie helman sftp algorithm wasn't allowed. We're currently waiting for approval to test it.
Also looking trying to reproduce the problem with a different sftp client, but no luck so far.
Also looking trying to reproduce the problem with a different sftp client, but no luck so far.
-
- Posts: 8
- Joined: Fri Dec 22, 2023 4:13 pm
Re: Cnnection issue - failed to exchange keys
Dear,
In the last message I mentioned that "diffie-hellman-group1-sha1" wasn't allowed for the sftp key exchange algorithms, but I must have looked over it, because it was already configured.
I did manage to reproduce the issue with a different client, Bitvise to be more specific.
On the host keys I allowed RSA/sha1, RSA/sha2-256 and RSA/sha2-512, in that order.
looking in the bitvise log I see the following messages:
- first key exchange started. (informational)
- Received host key from the service. Algorithm: RSA/SHA1.. (informational)
- getting an error: ssh connection has terminated with error. reason; error in component session/transport/kexhandler. Error class: flow, code: componentExpception, message: exception in compoent: Windows CNG (x86- with additions: SshSigToRawSig: unexpected Algorithm Length (error)
When i remove the RSA/Sha2 host key algorithm it does allow me to log in to the server:
- first key exchange started. (informational)
- Received host key from the service. Algorithm: RSA/SHA1.. (informational)
- first key exchange completed using Curse-25519@libssh. Connection encrytion aes256-ctr, integrity hmac-sha2-256
In the last message I mentioned that "diffie-hellman-group1-sha1" wasn't allowed for the sftp key exchange algorithms, but I must have looked over it, because it was already configured.
I did manage to reproduce the issue with a different client, Bitvise to be more specific.
On the host keys I allowed RSA/sha1, RSA/sha2-256 and RSA/sha2-512, in that order.
looking in the bitvise log I see the following messages:
- first key exchange started. (informational)
- Received host key from the service. Algorithm: RSA/SHA1.. (informational)
- getting an error: ssh connection has terminated with error. reason; error in component session/transport/kexhandler. Error class: flow, code: componentExpception, message: exception in compoent: Windows CNG (x86- with additions: SshSigToRawSig: unexpected Algorithm Length (error)
When i remove the RSA/Sha2 host key algorithm it does allow me to log in to the server:
- first key exchange started. (informational)
- Received host key from the service. Algorithm: RSA/SHA1.. (informational)
- first key exchange completed using Curse-25519@libssh. Connection encrytion aes256-ctr, integrity hmac-sha2-256
-
- Posts: 8
- Joined: Fri Dec 22, 2023 4:13 pm
Re: Cnnection issue - failed to exchange keys
Forgot to mention that we we check the logs on the server, we receive the same message as our customer:
[02] Tue, 13 Feb 2024 09:55:36 (0553341) Connected from
[02] Tue, 13 Feb 2024 09:56:01 (0553341) Failed to exchange the keys.
[02] Tue, 13 Feb 2024 09:55:36 (0553341) Connected from
[02] Tue, 13 Feb 2024 09:56:01 (0553341) Failed to exchange the keys.
-
- Site Admin
- Posts: 2091
- Joined: Tue Sep 29, 2009 6:09 am
Re: Cnnection issue - failed to exchange keys
OK, thanks for your information, we will look into this issue and try to improve it.
-
- Site Admin
- Posts: 2091
- Joined: Tue Sep 29, 2009 6:09 am
Re: Cnnection issue - failed to exchange keys
For a temporary solution, maybe you can stop the WingFTP service and modify the file "Data/settings.xml", just replace the line 40 into:
<SFTPHostKey>rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>
And then start the WingFTP service again.
<SFTPHostKey>rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256</SFTPHostKey>
And then start the WingFTP service again.
-
- Site Admin
- Posts: 2091
- Joined: Tue Sep 29, 2009 6:09 am
Re: Cnnection issue - failed to exchange keys
The new version 7.3.1 fixed an issue about SFTP host key algorithm, you may try this version now: https://www.wftpserver.com/download.htm