SFTP with ecdsa-sha2-nistp521, size 512 bits.

Hi

I'm trying to use SFTP, Host key algorithm ecdsa-sha2-nistp521, size 512 bits.
WinScp 5.10 beta.
But get disconected every time. Generate key with Puttygen
Server is Busybox 1.25.1

Working fine when using eg FlashFXP5

Best Regards
Octopus

. 2017-06-07 08:43:28.512 --------------------------------------------------------------------------
. 2017-06-07 08:43:28.547 Looking up host "< my hoost >" for SSH connection
. 2017-06-07 08:43:28.686 Connecting to xx.xx.xx.212 port 500
. 2017-06-07 08:43:28.686 We claim version: SSH-2.0-WinSCP_release_5.10
. 2017-06-07 08:43:28.708 Server version: SSH-2.0-dropbear_2017.75
. 2017-06-07 08:43:28.708 We believe remote version has SSH-2 channel request bug
. 2017-06-07 08:43:28.708 Using SSH protocol version 2
. 2017-06-07 08:43:28.709 Have a known host key of type ecdsa-sha2-nistp521
. 2017-06-07 08:43:28.709 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2017-06-07 08:43:29.069 Server also has ssh-dss/ssh-rsa host keys, but we don't know any of them
. 2017-06-07 08:43:29.069 Host key fingerprint is:
. 2017-06-07 08:43:29.069 ecdsa-sha2-nistp521 521 <key here>
. 2017-06-07 08:43:29.069 Verifying host key ecdsa-sha2-nistp521 nistp521,< key here > with fingerprint ecdsa-sha2-nistp521 521 < key here >
. 2017-06-07 08:43:29.102 Host key matches cached key
. 2017-06-07 08:43:29.102 Initialised AES-256 SDCTR client->server encryption
. 2017-06-07 08:43:29.102 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2017-06-07 08:43:29.102 Initialised AES-256 SDCTR server->client encryption
. 2017-06-07 08:43:29.102 Initialised HMAC-SHA-256 server->client MAC algorithm
. 2017-06-07 08:43:29.102 Reading key file "C:\Users\path\to\my\KEY\private-key.ppk"
! 2017-06-07 08:43:29.103 Using username "octopus".
. 2017-06-07 08:43:29.114 Server offered these authentication methods: publickey
. 2017-06-07 08:43:29.114 Offered public key
. 2017-06-07 08:43:29.115 Offer of public key accepted
! 2017-06-07 08:43:29.115 Authenticating with public key "octopus"
. 2017-06-07 08:43:29.316 Sent public key signature
. 2017-06-07 08:43:29.389 Access granted
. 2017-06-07 08:43:29.389 Opening session as main channel
. 2017-06-07 08:43:29.390 Opened main channel
. 2017-06-07 08:43:29.430 Started a shell/command
. 2017-06-07 08:43:29.477 --------------------------------------------------------------------------

It does not look like the problem has anything to do with keys. What made you think so?

Please attach a complete WinSCP log file.

And a log file from FlashFXP5 too, for comparison.

. 2017-06-08 18:46:55.614 --------------------------------------------------------------------------
. 2017-06-08 18:46:55.614 WinSCP Version 5.10 beta (Version 7561) (OS 6.1.7601 Service Pack 1 - Windows 7 Ultimate)
. 2017-06-08 18:46:55.614 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2017-06-08 18:46:55.615 Log level: Normal
. 2017-06-08 18:46:55.615 Local account: computername\name
. 2017-06-08 18:46:55.615 Working directory: C:\Windows\system32
. 2017-06-08 18:46:55.615 Process ID: 4280
. 2017-06-08 18:46:55.615 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" "root@192.168.12.1" /UploadIfAny /JumpList
. 2017-06-08 18:46:55.615 Time zone: Current: GMT+2, Standard: GMT+1 (Västeuropa, normaltid), DST: GMT+2 (Västeuropa, sommartid), DST Start: 2017-03-26, DST End: 2017-10-29
. 2017-06-08 18:46:55.615 Login time: den 8 juni 2017 18:46:55
. 2017-06-08 18:46:55.615 --------------------------------------------------------------------------
. 2017-06-08 18:46:55.615 Session name: ecdsa.octopus-sftp (Site)
. 2017-06-08 18:46:55.615 Host name: name.privatedns.org (Port: 500)
. 2017-06-08 18:46:55.615 User name: octopus (Password: No, Key file: Yes, Passphrase: No)
. 2017-06-08 18:46:55.615 Tunnel: No
. 2017-06-08 18:46:55.615 Transfer Protocol: SFTP (SCP)
. 2017-06-08 18:46:55.615 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2017-06-08 18:46:55.616 Disable Nagle: No
. 2017-06-08 18:46:55.616 Proxy: None
. 2017-06-08 18:46:55.616 Send buffer: 262144
. 2017-06-08 18:46:55.616 SSH protocol version: 2; Compression: No
. 2017-06-08 18:46:55.616 Bypass authentication: No
. 2017-06-08 18:46:55.616 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2017-06-08 18:46:55.616 GSSAPI: Forwarding: No
. 2017-06-08 18:46:55.616 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2017-06-08 18:46:55.616 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2017-06-08 18:46:55.616 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2017-06-08 18:46:55.616 Simple channel: Yes
. 2017-06-08 18:46:55.616 Return code variable: Autodetect; Lookup user groups: Auto
. 2017-06-08 18:46:55.616 Shell: default
. 2017-06-08 18:46:55.616 EOL: LF, UTF: Auto
. 2017-06-08 18:46:55.616 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2017-06-08 18:46:55.616 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2017-06-08 18:46:55.616 SFTP Bugs: Auto,Auto
. 2017-06-08 18:46:55.616 SFTP Server: default
. 2017-06-08 18:46:55.616 Local directory: default, Remote directory: /, Update: Yes, Cache: Yes
. 2017-06-08 18:46:55.616 Cache directory changes: Yes, Permanent: Yes
. 2017-06-08 18:46:55.616 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2017-06-08 18:46:55.616 DST mode: Unix
. 2017-06-08 18:46:55.616 --------------------------------------------------------------------------
. 2017-06-08 18:46:55.636 Looking up host "name.privatedns.org" for SSH connection
. 2017-06-08 18:46:55.779 Connecting to 94.254.34.212 port 500
. 2017-06-08 18:46:55.780 We claim version: SSH-2.0-WinSCP_release_5.10
. 2017-06-08 18:46:55.787 Server version: SSH-2.0-dropbear_2017.75
. 2017-06-08 18:46:55.787 We believe remote version has SSH-2 channel request bug
. 2017-06-08 18:46:55.787 Using SSH protocol version 2
. 2017-06-08 18:46:55.788 Have a known host key of type ecdsa-sha2-nistp521
. 2017-06-08 18:46:55.788 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2017-06-08 18:46:56.143 Server also has ssh-dss/ssh-rsa host keys, but we don't know any of them
. 2017-06-08 18:46:56.143 Host key fingerprint is:
. 2017-06-08 18:46:56.143 ecdsa-sha2-nistp521 521 < key >
. 2017-06-08 18:46:56.143 Verifying host key ecdsa-sha2-nistp521 nistp521,<< key > with fingerprint ecdsa-sha2-nistp521 521 < key >
. 2017-06-08 18:46:56.188 Host key matches cached key
. 2017-06-08 18:46:56.189 Initialised AES-256 SDCTR client->server encryption
. 2017-06-08 18:46:56.189 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2017-06-08 18:46:56.189 Initialised AES-256 SDCTR server->client encryption
. 2017-06-08 18:46:56.189 Initialised HMAC-SHA-256 server->client MAC algorithm
. 2017-06-08 18:46:56.189 Reading key file "C:\path\to\my\SSHD-keys\OCTOPUS-TEST-KEYS\private-key.ppk"
! 2017-06-08 18:46:56.197 Using username "octopus".
. 2017-06-08 18:46:56.200 Server offered these authentication methods: publickey
. 2017-06-08 18:46:56.200 Offered public key
. 2017-06-08 18:46:56.201 Offer of public key accepted
! 2017-06-08 18:46:56.201 Authenticating with public key "octopus"
. 2017-06-08 18:46:56.403 Sent public key signature
. 2017-06-08 18:46:56.474 Access granted
. 2017-06-08 18:46:56.474 Opening session as main channel
. 2017-06-08 18:46:56.474 Opened main channel
. 2017-06-08 18:46:56.511 Started a shell/command
. 2017-06-08 18:46:56.563 --------------------------------------------------------------------------
. 2017-06-08 18:46:56.576 Using SFTP protocol.
. 2017-06-08 18:46:56.594 Doing startup conversation with host.
> 2017-06-08 18:46:56.625 Type: SSH_FXP_INIT, Size: 5, Number: -1
! 2017-06-08 18:46:56.705 sh: /opt/libexec/sftp-server: not found
. 2017-06-08 18:46:56.706 Server sent command exit status 127
. 2017-06-08 18:46:56.706 Disconnected: All channels closed
* 2017-06-08 18:46:56.734 (EFatal) **Anslutningen har oväntat avslutats.** Servern skickade kommandot slutstatus 127.
* 2017-06-08 18:46:56.734 Kan inte initialisera SFTP-protokollet. Kör värddatorn en SFTP-server?

[18:52:11] Winsock 2.2 -- OpenSSL 1.1.0e 16 Feb 2017
[18:52:18] [R] Connecting to name.privatedns.org -> DNS=name.privatedns.org IP=xx.xx.xx.212 PORT=500
[18:52:18] [R] Connected to name.privatedns.org
[18:52:18] [R] Host key algorithm ecdsa-sha2-nistp521, size 512 bits.
[18:52:18] [R] Fingerprint (SHA256): < key >
[18:52:18] [R] Key exchange: curve25519-sha256@libssh.org. Session encryption: aes256-ctr, MAC: hmac-sha1, compression: none.
[18:52:19] [R] Auth Type: Public Key
[18:52:19] [R] Authentication succeeded
[18:52:19] [R] SSH Connection open
[18:52:19] [R] [info] subsystem request for sftp failed, subsystem not found.
[18:52:19] [R] [execute] /usr/lib/openssh/sftp-server
[18:52:19] [R] [execute] /usr/lib/sftp-server
[18:52:19] [R] [execute] /usr/local/lib/sftp-server
[18:52:19] [R] [execute] /usr/libexec/sftp-server
[18:52:20] [R] Connection established with dropbear_2017.75 (SFTP v3)
[18:52:20] [R] SFTP Connection Ready
[18:52:20] [R] Directory changed to: /
[18:52:20] [R] Retrieving directory listing...
[18:52:20] [R] List Complete: 2 KB in 0,09 seconds (2,4 KB/s)

As you can see in both logs, the server is misconfigured. It cannot open "SFTP" subsystem, because it's configured to /opt/libexec/sftp-server, what does not seem to exist. The correct path is /usr/libexec/sftp-server.

The FlashFxp seems to have some fallback mechanism to execute some hardcoded binaries, if the "SFTP" subsystem fails.

WinSCP can actually do the same, if you disable SCP protocol fallback.

Or you can configure /usr/libexec/sftp-server as SFTP server path:
https://winscp.net/eng/docs/ui_login_sftp

Though the only correct approach is to get the server fixed.

Thank you!
I see it now.

Octopus