Couldn't agree on key exchange algorithm (hardened server) :: Support Forum

jawnsy_ Guest

Couldn't agree on key exchange algorithm (hardened server)

2015-09-07 07:13

Hi,

I followed the instructions for "modern compatibility" listed here: https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

So these are my cipher settings in /etc/ssh/sshd_config:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Unfortunately, this breaks WinSCP. PuTTY 0.65 has no issues, so perhaps this is just an issue where an upgrade is required. This issue looks very similar to https://winscp.net/tracker/1067

Cheers,
Jonathan Yu
jonathan.i.yu@gmail.com

putty.log (112.76 KB)

theory.log (3.19 KB)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,518
Location:: Prague, Czechia

Re: Couldn't agree on key exchange algorithm (hardened server)

2015-09-08

Probably the same issue as here:
https://winscp.net/forum/viewtopic.php?t=15626

Please install the latest versions of both OpenSSH and WinSCP.

Reply with quote

juul Guest

2015-11-14 18:16

This is actually not entirely the same, its because WinSCP is missing a cipher and key exchange algorithm.

I ran into the same problem when connecting to a hardened server. The policy of this server had to be relaxed to allow WinSCP to connect because the server was very strict at first.

The cipher missing is: ChaCha20 (SSH-2 only)
The key exchange algorithm missing is: ECDH key exchange

Those appear in the lists in the PuTTY settings, however in WinSCP these do not appear in the cipher and kex selection policy lists.

Reply with quote