Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

Armin

Hi Martin,

Apologize for the late respond, thanks for the help.

I already mentioned to the team that it is better to remove the KEX algorithm from the server side.
martin

@Guest: In .NET assembly, if you configure particular KEX below/after the WARN, the assembly won't use the KEX (will rather fail the connection, if no KEX above/before WARN is supported by the server).
https://winscp.net/eng/docs/rawsettings#kex
Guest

Hi @Martin, for security reason I want to remove some of the KEX options that is available in WinSCP.

Oh I am sorry I forgot to mention that I am developing a .NET Application that use WinSCP library to connect to the SFTP Server.

I can add new KEX using AddRawSetting but I don't know how to remove the KEX options in the WinSCP Library.

So I assume it can only be done at server side. Is that correct?
martin

@Armin: Well, I do not know what exactly are you trying to achieve. If you control both client(s) and the server, then indeed it's the server that should be configured not to allow the unwanted KEX in the first place.
Armin

Hi Martin,

From what I understand WinSCP can support multiple KEX.
they want me to remove this options "diffie-hellman-group1-sha1"
Is that possible?

I just saw this post
How to use diffie-hellman-group-exchange-sha256 in the KEX=

Does it mean, we don't need to change it from the client side, only the server side need to decide which KEX that the server accept, am I right?
martin

Re: Limit the KEX options

@Armin: That's quite vague. Are you looking for this?
https://winscp.net/eng/docs/ui_login_kex
In any case, algorithms should primarily be restricted on the server-side.
Armin

Limit the KEX options

Is it possible to limit the KEX options?

Due the security reason they want to limit the KEX.
ddremiere@oxya.com

Key Exchange

Hi,
due to security requirements I have been asked to only use below KEX to connect to an SFTP site:

  • diffie-hellman-group-exchange-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521

Following ones are refused:

  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1
  • rsa1024-sha1

KEX names available in WinSCP (found for KEX parameter in https://winscp.net/eng/docs/rawsettings) are all with SHA-1 except ECDH.
But is it ECDH SHA-1 or SHA-2?

If SHA-1, it means I have to choose another SFTP ftp software, right?
Thx in advance
Regards
Daniel