Couldn't agree on key exchange algorithm (hardened server)

Advertisement

jawnsy_
Guest

Couldn't agree on key exchange algorithm (hardened server)

Hi,

I followed the instructions for "modern compatibility" listed here: https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

So these are my cipher settings in /etc/ssh/sshd_config:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Unfortunately, this breaks WinSCP. PuTTY 0.65 has no issues, so perhaps this is just an issue where an upgrade is required. This issue looks very similar to https://winscp.net/tracker/1067

Cheers,
Jonathan Yu
jonathan.i.yu@gmail.com

Reply with quote

Advertisement

juul
Guest

This is actually not entirely the same, its because WinSCP is missing a cipher and key exchange algorithm.

I ran into the same problem when connecting to a hardened server. The policy of this server had to be relaxed to allow WinSCP to connect because the server was very strict at first.

The cipher missing is: ChaCha20 (SSH-2 only)
The key exchange algorithm missing is: ECDH key exchange

Those appear in the lists in the PuTTY settings, however in WinSCP these do not appear in the cipher and kex selection policy lists.

Reply with quote

martin
Site Admin
martin avatar

juul wrote:

Those appear in the lists in the PuTTY settings.
But in a development version only. Not in the stable one.

Reply with quote

Advertisement

You can post new topics in this forum