Topic "Couldn't agree on key exchange algorithm (hardened server)"

Author Message
jawnsy_

Guest


Hi,

I followed the instructions for "modern compatibility" listed here: https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29

So these are my cipher settings in /etc/ssh/sshd_config:

Code:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com


Unfortunately, this breaks WinSCP. PuTTY 0.65 has no issues, so perhaps this is just an issue where an upgrade is required. This issue looks very similar to http://winscp.net/tracker/show_bug.cgi?id=1067

Cheers,

Jonathan Yu
jonathan.i.yu@gmail.com
putty.log (112.76 KB) [Download]

Description: (none)

theory.log (3.19 KB) [Download]

Description: (none)

Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
Probably the same issue as here:
http://winscp.net/forum/viewtopic.php?t=15626

Please install the latest versions of both OpenSSH and WinSCP.
juul

Guest


This is actually not entirely the same, its because WinSCP is missing a cipher and key exchange algorithm.

I ran into the same problem when connecting to a hardened server. The policy of this server had to be relaxed to allow WinSCP to connect because the server was very strict at first.

The cipher missing is: ChaCha20 (SSH-2 only)
The key exchange algorithm missing is: ECDH key exchange

Those appear in the lists in the PuTTY settings, however in WinSCP these do not appear in the cipher and kex selection policy lists.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24530
Location: Prague, Czechia
juul wrote:
Those appear in the lists in the PuTTY settings.

But in a development version only. Not in the stable one.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License