sftp connection failing on window server 2016

0 votes
asked Aug 23 by Hifsa (120 points)

SshHostKeyAlgorithm -
RSA,DSS,Certificate,ED25519,ECDsaNistP256,ECDsaNistP384,ECDsaNistP521

Rebex.Net.Sftp client = new Sftp();
client.Connect(hostname, port);

Unable to Connect on Window Server 2016.

Applies to: Rebex SFTP

2 Answers

0 votes
answered Aug 23 by Lukas Matyska (46,810 points)

Please, create verbose communication log and post it here or send it to support@rebex.net for analysis.

It can be created like this:

Rebex.Net.Sftp client = new Sftp();
client.LogWriter = new Rebex.FileLogWriter(@"c:\data\sftp.log", Rebex.LogLevel.Verbose);
client.Connect(hostname, port);
commented Aug 23 by Hifsa (120 points)
2018-08-23 14:56:24.327 DEBUG Sftp(1)[1] SSH: Group exchange.
2018-08-23 14:56:24.327 VERBOSE Sftp(1)[1] SSH: Sending packet SSH_MSG_KEX_30 (5 bytes).
 0000 |1E-00-00-04-00                                 | .....
2018-08-23 14:56:24.393 VERBOSE Sftp(1)[9] SSH: Received packet SSH_MSG_KEX_31 (267 bytes).
2018-08-23 14:56:24.395 DEBUG Sftp(1)[1] SSH: Negotiating key.
2018-08-23 14:56:24.403 ERROR Sftp(1)[1] SSH: Negotiation failed. Diffie-Hellman CSP not available or doesn't support this key size, and managed Diffie-Hellman forbidden in FIPS-only mode.
2018-08-23 14:56:24.406 VERBOSE Sftp(1)[1] SSH: Sending packet SSH_MSG_DISCONNECT (27 bytes).
 0000 |01-00-00-00-02-00-00-00 0E-49-6E-74-65-72-6E-61| .........Interna
 0010 |6C-20-65-72-72-6F-72-00 00-00-00               | l error....
2018-08-23 14:56:24.411 ERROR Sftp(1)[1] Info: Rebex.Net.SshException: Negotiation failed. ---> System.Security.Cryptography.CryptographicException: Diffie-Hellman CSP not available or doesn't support this key size, and managed Diffie-Hellman forbidden in FIPS-only mode.
   at Rebex.Security.Cryptography.AsymmetricKeyAlgorithm.KV(DiffieHellmanParameters C)
   at Rebex.Security.Cryptography.AsymmetricKeyAlgorithm.ImportKey(DiffieHellmanParameters key)
   at Rebex.Net.BTG.J(SshSession C, Byte[] V, Byte[] Z, Byte[] N, Byte[] Q, GTG& M, Byte[]& J, SshPublicKey& B)
   at Rebex.Net.SshSession.NNV(Byte[] C)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.NNV(Byte[] C)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Sftp.EOG.NNV(TUG C, Boolean V)
   at Rebex.Net.Sftp.HJ(String C, Int32 V, SshParameters Z, TUG N)
+1 vote
answered Aug 24 by Lukas Matyska (46,810 points)

Thank you for the log file. It showed that the problem is: Diffie-Hellman CSP not available or doesn't support this key size, and managed Diffie-Hellman forbidden in FIPS-only mode.

You can either ignore FIPS mode and force using non-FIPS implementations by setting:

Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly = false;

Or you can try to use different key exchange algorithm to find one, which can be run in FIPS mode on your server.
It can be set like this:

client.Settings.SshParameters.KeyExchangeAlgorithms =
    SshKeyExchangeAlgorithm.ECDiffieHellmanNistP256 |
    SshKeyExchangeAlgorithm.ECDiffieHellmanNistP384 |
    SshKeyExchangeAlgorithm.ECDiffieHellmanNistP521 |
    SshKeyExchangeAlgorithm.Curve25519;

From verbose log you can analyze received server's SSH_MSG_KEXINIT packet to see key exchange algorithms your server supports.

...