sftpplug : unable to exchange encryption keys

sobakos · Post by *sobakos » 2016-01-27, 21:59 UTC

Hello,

Our SSH server was a subject to security enforcement, so some insecure algorithms for ciphers were removed. As a consequence, sftpplug is not working anymore. It shows the following message:

Error: Could not start SSH session:
Unable to exchange encryption keys.

Here is the list of used algorithms from our sshd_config file:

KexAlgorithms curve25519-sha256@libssh_org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh_com,aes256-gcm@openssh_com,aes128-gcm@openssh_com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh_com,hmac-sha2-256-etm@openssh_com,umac-128-etm@openssh_com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh_com

Post by *ghisler(Author) » 2016-01-28, 10:35 UTC

My SFTP plugin doesn't handle this by itself, it uses the OpenSSH dlls. Apparently OpenSSH doesn't work with just these codecs. The problem seems to be the KexAlgorithms. The Ciphers and MACs both have @openssh_com codecs, the KexAlgorithms doesn't.

According to this post, SHA1 is a required part of the FIPS-186-2 digital signature standard used by SSH.

sobakos · Post by *sobakos » 2016-01-30, 08:08 UTC

Dear Christian,

Thank you for the answer (and also for your great Total Commander).

According to the list of implemented specifications by OpenSSH and to the Mozilla wiki recent OpenSSH supports all the KexAlgorithms listed.

I tried to replace the CURL dlls by newer versions of the libraries but still got no result.

As a workaround, it is possible to use sftp4tc plugin which works just fine.

Post by *ghisler(Author) » 2016-02-01, 10:58 UTC

Maybe it's necessary to call some OpenSSH functions to activate these codecs? But if OpenSSH implements the standards very strictly, it may not supports these codecs at all...