0 votes
by (280 points)
retagged by

Hello,

I am using the Rebex version 2015 R3.1 in our project. As part of new feature we are planning to remove SHA1 encryption from our project and adding SHA2 instead. We could find that Rebex using SHA1, so we want to use Rebex which uses SHA2 encryption for SFTP transfer.

Please let us know which version we need to use for that.

Thanks & Regards,
Abdul Salam K.A

Applies to: SSH Pack

1 Answer

+1 vote
by (148k points)
selected by
 
Best answer

Hello,

Please note that SHA-1 and SHA-2 are not encryption algorithms. They are cryptographic hash functions (or set cryptographic hash functions in case of SHA-2).

To only enable key SSH exchange algorithms, host key algorithms and MAC algorihms based on SHA-2 and disable those based on SHA-1, use at least Rebex SSH Pack 2016 R3 (although using the latest version is recommended) and call these before connecting:

obj.Settings.SshParameters.SetKeyExchangeAlgorithms(
    "diffie-hellman-group-exchange-sha256",
    "diffie-hellman-group16-sha512",
    "diffie-hellman-group15-sha512",
    "diffie-hellman-group14-sha256",
    "ecdh-sha2-nistp256",
    "ecdh-sha2-nistp384",
    "ecdh-sha2-nistp521",
    "curve25519-sha256@libssh.org");

obj.Settings.SshParameters.SetHostKeyAlgorithms(
    "ssh-rsa-sha256@ssh.com",
    "rsa-sha2-256",
    "rsa-sha2-512",
    "x509v3-sign-rsa-sha256@ssh.com",
    "ecdsa-sha2-nistp256",
    "ecdsa-sha2-nistp384",
    "ecdsa-sha2-nistp521",
    "ssh-ed25519");

obj.Settings.SshParameters.SetMacAlgorithms(
    "hmac-sha2-256-etm@openssh.com",
    "hmac-sha2-256",
    "hmac-sha2-512-etm@openssh.com",
    "hmac-sha2-512");

(Where obj is an instance of Sftp, Scp, Ssh or FileServer.)

If you would also like to disable AEAD encryption algorithms such as AES/GCM that are not used with any MAC cipher, only enable the rest:

obj.Settings.SshParameters.SetEncryptionAlgorithms(
    "aes256-ctr",
    "aes192-ctr",
    "aes128-ctr",
    "aes256-cbc",
    "aes192-cbc",
    "aes128-cbc",
    "3des-ctr",
    "3des-cbc",
    "twofish256-ctr",
    "twofish192-ctr",
    "twofish128-ctr",
    "twofish256-cbc",
    "twofish192-cbc",
    "twofish128-cbc");

(However, we do not believe there is any reason to do this - AEAD ciphers are secure enough.)

by (280 points)
Hi Lukas,

I am getting the below exception while connecting to SFTP Server,

Rebex.Net.SftpException: 'Negotiation failed. The client and the server have no common host key algorithm. Server supports 'ssh-dss' which is not enabled at the client.'

Inner Exception
SshException: The client and the server have no common host key algorithm.


Version:
Rebex.Common        - 5.0.7290.0
Rebex.Networking    - 5.0.7290.0
Rebex.Sftp                    - 5.0.7290.0

Code:
 var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group16-sha512",
                    "diffie-hellman-group15-sha512",
                    "diffie-hellman-group14-sha256",
                    "ecdh-sha2-nistp256",
                    "ecdh-sha2-nistp384",
                    "ecdh-sha2-nistp521",
                    "curve25519-sha256@libssh.org");

            ftp.Settings.SshParameters.SetHostKeyAlgorithms(
                "ssh-rsa-sha256@ssh.com",
                "rsa-sha2-256",
                "rsa-sha2-512",
                "x509v3-sign-rsa-sha256@ssh.com",
                "ecdsa-sha2-nistp256",
                "ecdsa-sha2-nistp384",
                "ecdsa-sha2-nistp521",
                "ssh-ed25519");

            ftp.Settings.SshParameters.SetMacAlgorithms(
                "hmac-sha2-256-etm@openssh.com",
                "hmac-sha2-256",
                "hmac-sha2-512-etm@openssh.com",
                "hmac-sha2-512");


            ftp.Connect("myserver");
            ftp.Login("username", "password");
            ftp.ChangeDirectory("ftpserver");


Please let us know if I missed something.
by (148k points)
This looks like the server you are connecting to only supports host key ciphers based on SHA-1, such as "ssh-dss". Because you disabled all non-SHA-2 ciphers, you are no longer able to connect to this server.
by (280 points)
Hi Lukas,


If we used below code to  connect the sftp server.

var ftp = new Sftp();

ftp.Settings.SshParameters.SetKeyExchangeAlgorithms(
                    "diffie-hellman-group-exchange-sha256",
                    "diffie-hellman-group14-sha256"
                    );

ftp.Connect(hostName);
ftp.Login(username, privateKey);
ftp.ChangeDirectory("directoryName");

Please confirm the which cryptographic hash function you are using if we connect with the above code?
by (148k points)
If you connect with the code above, only SHA-256 will be used for SSH key exchange.

However, SHA-1 could still be used for server authentication (use SetHostKeyAlgorithm method to configure that) and for message authentication (use SetMacAlgorithms method to configure that).
by (280 points)
Lukkas, thank you very much for your support :)
...