[Cyberduck-trac] [Cyberduck] #8488: Connection failed to hardened SSH-server
Cyberduck
trac at trac.cyberduck.io
Wed Jan 14 20:56:06 UTC 2015
#8488: Connection failed to hardened SSH-server
-----------------------+------------------------------
Reporter: zepi | Owner: dkocher
Type: defect | Status: new
Priority: normal | Milestone:
Component: sftp | Version: 4.6.1
Severity: normal | Keywords: ssh, cipher, kex
Architecture: Intel | Platform: Mac OS X 10.10
-----------------------+------------------------------
After latest Snowden leaks it seems that default OpenSSH settings are no
longer acceptable for secure communication. See:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Having the following lines in sshd_config in server side prevents
Cyberduck connecting with a following error message:
Connection Failed
Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-
hellman-group1-sha1] and [curve25519-sha256 at libssh.org, diffie-hellman-
group-exchange-sha256]. The connection attempt was rejected. The server
may be down, or your network may not be properly configured
I get no entries to log drawer.
Sshd config on server side:
Ciphers
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-
sha256
At least by the look of it, diffie-helman-group-exchange-sha256 and
curve25519-sha256 at libssh.org are enabled in these kex settings, so my
guess is that the incompatibility is either due lack of appropriate
ciphers or a bug in kex implementation.
I'm connecting to OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13
--
Ticket URL: <https://trac.cyberduck.io/ticket/8488>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list