[Cyberduck-trac] [Cyberduck] #8488: Connection failed to hardened SSH-server
Cyberduck
trac at trac.cyberduck.io
Thu Jan 15 09:11:41 UTC 2015
#8488: Connection failed to hardened SSH-server
------------------------------+------------------------
Reporter: zepi | Owner: dkocher
Type: defect | Status: new
Priority: normal | Milestone:
Component: sftp | Version: 4.6.1
Severity: normal | Resolution:
Keywords: ssh, cipher, kex | Architecture: Intel
Platform: Mac OS X 10.10 |
------------------------------+------------------------
Old description:
> After latest Snowden leaks it seems that default OpenSSH settings are no
> longer acceptable for secure communication. See:
> https://stribika.github.io/2015/01/04/secure-secure-shell.html
>
> Having the following lines in sshd_config in server side prevents
> Cyberduck connecting with a following error message:
> Connection Failed
>
> {{{
> Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-
> hellman-group1-sha1] and [curve25519-sha256 at libssh.org, diffie-hellman-
> group-exchange-sha256]. The connection attempt was rejected. The server
> may be down, or your network may not be properly configured
>
> }}}
>
> I get no entries to log drawer.
>
> Sshd config on server side:
>
> {{{
> Ciphers
> chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-
> sha256
> }}}
>
> At least by the look of it, diffie-helman-group-exchange-sha256 and
> curve25519-sha256 at libssh.org are enabled in these kex settings, so my
> guess is that the incompatibility is either due lack of appropriate
> ciphers or a bug in kex implementation.
>
> I'm connecting to `OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13`
New description:
After latest Snowden leaks it seems that default OpenSSH settings are no
longer acceptable for secure communication. See:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Having the following lines in sshd_config in server side prevents
Cyberduck connecting with a error message:
Connection Failed
{{{
Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-
hellman-group1-sha1] and [curve25519-sha256 at libssh.org, diffie-hellman-
group-exchange-sha256]. The connection attempt was rejected. The server
may be down, or your network may not be properly configured
}}}
I get no entries to log drawer.
Sshd config on server side:
{{{
Ciphers
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-
sha256
}}}
At least by the look of it, diffie-helman-group-exchange-sha256 and
curve25519-sha256 at libssh.org are enabled in these kex settings, so my
guess is that the incompatibility is either due lack of appropriate
ciphers or a bug in kex implementation.
I'm connecting to `OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13`
--
Comment (by zepi):
I checked with the latest Version 4.7 (16463) and it fails with the same
error message.
For example my OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 that is
integrated with OSX works without a hitch.
--
Ticket URL: <https://trac.cyberduck.io/ticket/8488#comment:3>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list