SFTP: SSH key exchange failure when connecting to popular German cloud storage provider

0 votes
asked 5 days ago by stefancgn (160 points)

I'm currently trying out Rebex SFTP.

When trying to connect to a popular German cloud storage provider via SFTP (STRATO HiDrive), an SSH key exchange failure exception occurs.

Changing the PreferredHostKeyAlgorithm from RSA (which seems to be the new default since 2019 R1) "back" to DSS helps and the connection attempt succeeds, but I don't want to hard code it into my application and I want to avoid making this configurable.

So what I'm doing now is:

  • Try to connect with the default (preferred = RSA)
  • Analyze the exception
  • If it matches the criteria below, try again with preferred = DSS

Criteria are:

  • Exception is SftpException
  • SftpException.Code is SftpErrorCode.UnknownError
  • InnerException is SshException
  • SshException.Status is SshExceptionStatus.OperationFailure
  • SshException.ProtocolMessage is "KeyExchangeFailed"

But this leaves me with a bad gut feeling as it seems to rely on internal implementation details which might change with new Rebex releases.

Any suggestions on this would be appreciated!

Applies to: Rebex SFTP

1 Answer

+1 vote
answered 5 days ago by Lukas Pokorny (106,330 points)
selected 4 days ago by stefancgn
 
Best answer

This is a known Strato issue.

There is something wrong with Strato server’s implementations of rsa-sha2-256 host key cipher. This cipher is supposed to use SHA-256 hash algorithm for its RSA signature (see RFC 8332), but the signature received from Strato's server is actually a signature based on SHA-1. Therefore, Rebex SFTP client rejects this mismatched signature, which is correct behavior.

Interestingly, common SFTP/SSH clients such as WinSCP, FileZilla and PuTTY’s psftp do not support RFC 8332 and the rsa-sha2-256 cipher yet, which means that they are not affected by this server-side issue.
Disabling rsa-sha2-256 (and rsa-sha2-512 which is also not working properly at Strato’s server) in Rebex SFTP makes it connect successfully as well:

   var client = new Sftp();
   client.Settings.SshParameters.SetHostKeyAlgorithms("ssh-rsa", "ssh-dss", "x509v3-sign-rsa", "x509v3-sign-dss", "ecdsa-sha2-nistp256");
   client.LogWriter = new ConsoleLogWriter(LogLevel.Debug);
   client.Connect("ssh.strato.de");

For the sake of completeness, these are lists of supported host key ciphers of WinSCP, FileZilla (as of 2019-09-01) and Rebex SFTP (with default settings), in order of preference:

  • WinSCP: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
  • FileZilla: ssh-rsa,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
  • Rebex SFTP: rsa-sha2-256,ssh-rsa-sha256@ssh.com,rsa-sha2-512,ssh-rsa,ssh-dss,x509v3-sign-rsa-sha256@ssh.com,x509v3-sign-rsa,x509v3-sign-dss,ecdsa-sha2-nistp256

The server at ssh.strato.de claims to support the following ciphers:

  • ecdsa-sha2-nistp256,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss

This means that the following ciphers are negotiated:

  • WinSCP uses ssh-ed25519 by default
  • FileZilla uses ssh-rsa by default
  • Rebex SFTP uses rsa-sha2-256 by default (and runs into an issue because the server’s implementation is broken)

We strongly recommend reporting this issue to Strato so they can fix it. Our customer who originally reported this issue in September 2019 informed us that they are going to ask their customers to report it as well, but apparently the problem still persists as of February 2020.

commented 4 days ago by stefancgn (160 points)
Hey Lukas, thank you for your detailled and helpful answer. Until this is fixed by Strato, I have integrated the suggested workaround, but only for Strato's server name.

In additon, as you suggested, I have written a message to Strato's support team, where I also mentioned this forum article. However I'm not sure if it will get the appropriate attention, as I have only bought their cheapest package for development purporses.

Stefan
commented 1 day ago by Lukas Pokorny (106,330 points)
Thanks! Hopefully, they will eventually fix this when more third-party implementations  introduce rsa-sha2-256 support as well.
commented 1 day ago by stefancgn (160 points)
Today, Strato told me that their quality assurance has confirmed that it is an error on their side. They will fix it in the next version, but they don't have a release date yet.
commented 17 hours ago by Lukas Pokorny (106,330 points)
Thanks for the good news!
...