[Cyberduck-trac] [Cyberduck] #8488: No support for key exchange algorithm diffie-hellman-group-exchange-sha256
Cyberduck
trac at trac.cyberduck.io
Thu Jan 15 19:01:38 UTC 2015
#8488: No support for key exchange algorithm diffie-hellman-group-exchange-sha256
------------------------------+-------------------------
Reporter: zepi | Owner: dkocher
Type: enhancement | Status: assigned
Priority: normal | Milestone: 4.7
Component: sftp | Version: 4.6.1
Severity: normal | Resolution:
Keywords: ssh, cipher, kex | Architecture: Intel
Platform: Mac OS X 10.10 |
------------------------------+-------------------------
Comment (by offenbach):
'''my findings'''[[BR]]
Cyberduck does not provide HMAC and key-exchange algorithms yet, that are
required to access SSH servers that have been configured following the
mentioned blog entry.
[[BR]][[BR]]
'''longer description'''[[BR]]
My SSH server is hardened the same way. I checked with 4.7 and had no luck
connecting.
First error was "no matching mac found"
{{{
no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
,hmac-sha2-256,hmac-sha2-512 server hmac-sha2-512-etm at openssh.com,hmac-
sha2-256-etm at openssh.com,hmac-
ripemd160-etm at openssh.com,umac-128-etm at openssh.com [preauth]
}}}
I re-enabled "hmac-sha2-512" in sshd settings /etc/ssh/sshd_config:
{{{
MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-
ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512
}}}
Now sshd complains about not being able to agree upon a key exchange
method
{{{
debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,diffie-hellman-
group-exchange-sha256 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 [preauth]
debug2: kex_parse_kexinit:
chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
[preauth]
debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-
sha2-256-etm at openssh.com,hmac-
ripemd160-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512 [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1 [preauth]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
,blowfish-cbc [preauth]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
,hmac-sha2-256,hmac-sha2-512 [preauth]
debug2: kex_parse_kexinit: zlib at openssh.com,zlib,none [preauth]
debug2: mac_setup: setup hmac-sha2-512 [preauth]
debug2: kex: client->server aes128-ctr hmac-sha2-512 zlib at openssh.com
[preauth]
Unable to negotiate a key exchange method [preauth]
}}}
Cyberduck does not provide the hardened key exchange methods
"curve25519-sha256 at libssh.org" nor "diffie-hellman-group-exchange-sha256".
So if you want to connect to your SSH server, you need to use a less
secure key exchange method. Fortunately Cyberduck's error dialog reveals
possible algorithms. I choose "diffie-hellman-group14-sha1". So tweak your
SSH settings in case you need to access your server with Cyberduck:
{{{
KexAlgorithms curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-
sha256,diffie-hellman-group14-sha1
}}}
--
Ticket URL: <https://trac.cyberduck.io/ticket/8488#comment:7>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list