SFTP: SSH key exchange failure when connecting to popular German cloud storage provider

Question

I'm currently trying out Rebex SFTP.

When trying to connect to a popular German cloud storage provider via SFTP (STRATO HiDrive), an SSH key exchange failure exception occurs.

Changing the PreferredHostKeyAlgorithm from RSA (which seems to be the new default since 2019 R1) "back" to DSS helps and the connection attempt succeeds, but I don't want to hard code it into my application and I want to avoid making this configurable.

So what I'm doing now is:

• Try to connect with the default (preferred = RSA)
• Analyze the exception
• If it matches the criteria below, try again with preferred = DSS

Criteria are:

• Exception is SftpException
• SftpException.Code is SftpErrorCode.UnknownError
• InnerException is SshException
• SshException.Status is SshExceptionStatus.OperationFailure
• SshException.ProtocolMessage is "KeyExchangeFailed"

But this leaves me with a bad gut feeling as it seems to rely on internal implementation details which might change with new Rebex releases.

Any suggestions on this would be appreciated!

Answer 1

This is a known Strato issue.

There is something wrong with Strato server’s implementations of rsa-sha2-256 host key cipher. This cipher is supposed to use SHA-256 hash algorithm for its RSA signature (see RFC 8332), but the signature received from Strato's server is actually a signature based on SHA-1. Therefore, Rebex SFTP client rejects this mismatched signature, which is correct behavior.

Interestingly, common SFTP/SSH clients such as WinSCP, FileZilla and PuTTY’s psftp do not support RFC 8332 and the rsa-sha2-256 cipher yet, which means that they are not affected by this server-side issue.
Disabling rsa-sha2-256 (and rsa-sha2-512 which is also not working properly at Strato’s server) in Rebex SFTP makes it connect successfully as well:

   var client = new Sftp();
   client.Settings.SshParameters.SetHostKeyAlgorithms("ssh-rsa", "ssh-dss", "x509v3-sign-rsa", "x509v3-sign-dss", "ecdsa-sha2-nistp256");
   client.LogWriter = new ConsoleLogWriter(LogLevel.Debug);
   client.Connect("ssh.strato.de");

For the sake of completeness, these are lists of supported host key ciphers of WinSCP, FileZilla (as of 2019-09-01) and Rebex SFTP (with default settings), in order of preference:

• WinSCP: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
• FileZilla: ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
• Rebex SFTP: rsa-sha2-256,ssh-rsa-sha256@ssh.com,rsa-sha2-512,ssh-rsa,ssh-dss,x509v3-sign-rsa-sha256@ssh.com,x509v3-sign-rsa,x509v3-sign-dss,ecdsa-sha2-nistp256

The server at ssh.strato.de claims to support the following ciphers:

• ecdsa-sha2-nistp256,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss

This means that the following ciphers are negotiated:

• WinSCP uses ssh-ed25519 by default
• FileZilla uses ssh-rsa by default
• Rebex SFTP uses rsa-sha2-256 by default (and runs into an issue because the server’s implementation is broken)

We strongly recommend reporting this issue to Strato so they can fix it. Our customer who originally reported this issue in September 2019 informed us that they are going to ask their customers to report it as well, but apparently the problem still persists as of February 2020.

Comments

Hey Lukas, thank you for your detailled and helpful answer. Until this is fixed by Strato, I have integrated the suggested workaround, but only for Strato's server name.

In additon, as you suggested, I have written a message to Strato's support team, where I also mentioned this forum article. However I'm not sure if it will get the appropriate attention, as I have only bought their cheapest package for development purporses.

Stefan

---

Thanks! Hopefully, they will eventually fix this when more third-party implementations  introduce rsa-sha2-256 support as well.

---

Today, Strato told me that their quality assurance has confirmed that it is an error on their side. They will fix it in the next version, but they don't have a release date yet.

---

Thanks for the good news!

---

STRATO has just told me that they solved the problem. I have tried it and I can confirm that the connection can be established now without using the workaround.

---

I'm not sure... I tried connecting to ssh.strato.de:22 using SftpWinFormClient sample with default settings and it is still failing:

Welcome to Rebex SFTP!
20:09:18.640 Info Info: Connecting to ssh.strato.de:22 using Sftp.
20:09:18.648 Info Info: Assembly: Rebex.Sftp 2020 R1 for .NET 4.6-4.8
20:09:18.650 Info Info: Platform: Windows 6.2.9200 32-bit; CLR: 4.0.30319.42000
20:09:18.652 Debug Info: Culture: cs; Windows-1252
20:09:18.670 Debug Proxy: Resolving 'ssh.strato.de'.
20:09:18.746 Debug Proxy: Connecting to 81.169.145.126:22 (no proxy).
20:09:18.807 Debug SSH: Server is 'SSH-2.0-OpenSSH-7.5p1'.
20:09:18.816 Info SSH: Negotiation started.
20:09:18.972 Debug SSH: Negotiating key.
20:09:19.025 Debug SSH: Validating signature.
20:09:19.068 Error SSH: Negotiation failed. Server signature is not valid.
20:09:19.075 Error Info: Rebex.Net.SshException: Server signature is not valid.
   at nixw.ucjt(SshSession fbu, Byte[] fbv, Byte[] fbw, Byte[] fbx, Byte[] fby, nixj& fbz, Byte[]& fca, SshPublicKey& fcb)
   at Rebex.Net.SshSession.dges(Byte[] aof)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Sftp.qcel.psov(htgm amh, Boolean ami)
   at Rebex.Net.Sftp.fmve(String po, Int32 pp, SshParameters pq, htgm pr)

---

OpenSSH 8 is failing as well due to the same issue with ssh.strato.de:22 when using the 'rsa-sha2-256' host key cipher:

~$ ssh -V
OpenSSH_8.0p1 Ubuntu-6build1, OpenSSL 1.1.1c  28 May 2019

~$ sftp -4 -o HostKeyAlgorithms=rsa-sha2-256 ssh.strato.de
ssh_dispatch_run_fatal: Connection to 81.169.145.126 port 22: incorrect signature
Connection closed

---

I'm connecting to the SFTP server sftp.hidrive.strato.com . I know that SFTP runs over the SSH protocol, but probably they are using a different SSH server / version for SFTP?

---

Thanks, it indeed looks like sftp.hidrive.strato.com works fine with 'rsa-sha2-256' now. I guess the other server was just not updated yet.