0 votes
by (120 points)

We have used rebex for some years now and occasionally hit a server which requires specific setup. However, this one, we cannot get our Rebex client to connect to.

This is from the log file:
2020-05-05 16:11:24.286 Opening log file.
2020-05-05 16:11:24.286 INFO FileLogWriter(1)[5] Info: Assembly: Rebex.Common 2020 R1.1 for .NET 4.0-4.8
2020-05-05 16:11:24.302 INFO FileLogWriter(1)[5] Info: Platform: Windows 6.1.7601 64-bit; CLR: 4.0.30319.36543
2020-05-05 16:11:24.302 DEBUG FileLogWriter(1)[5] Info: Culture: da; Windows-1252
2020-05-05 16:11:24.333 INFO Sftp(1)[5] Info: Connecting to 172.26.39.200:22 using Sftp.
2020-05-05 16:11:24.349 INFO Sftp(1)[5] Info: Assembly: Rebex.Sftp 2020 R1.1 for .NET 4.0-4.8
2020-05-05 16:11:24.349 INFO Sftp(1)[5] Info: Platform: Windows 6.1.7601 64-bit; CLR: 4.0.30319.36543
2020-05-05 16:11:24.349 DEBUG Sftp(1)[5] Info: Culture: da; Windows-1252
2020-05-05 16:11:24.380 DEBUG Sftp(1)[5] Proxy: Connecting to 172.26.x.x:22 (no proxy).
2020-05-05 16:11:24.380 DEBUG Sftp(1)[5] Proxy: Connection established.
2020-05-05 16:11:24.427 DEBUG Sftp(1)[5] SSH: Server is 'SSH-2.0-OpenSSH_7.5'.
2020-05-05 16:11:24.442 INFO Sftp(1)[5] SSH: Negotiation started.
2020-05-05 16:11:24.849 DEBUG Sftp(1)[5] SSH: Negotiating key.
2020-05-05 16:11:24.880 ERROR Sftp(1)[7] SSH: Error occured while receiving SSH packet: Rebex.Net.SshException: The connection was closed by the server. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)
--- End of inner exception stack trace ---
at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)
at Rebex.Net.SshSession.qykx(Byte[]& avc)
at Rebex.Net.SshSession.qylf()
at Rebex.Net.SshSession.gycv.qyme()
2020-05-05 16:11:24.880 ERROR Sftp(1)[5] SSH: Negotiation failed. The connection was closed by the server.
2020-05-05 16:11:24.896 ERROR Sftp(1)[5] Info: Rebex.Net.SshException: The connection was closed by the server. ---> Rebex.Net.SshException: The connection was closed by the server. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)

However, FileZilla can connect without any further instructions.

Trace: We claim version: SSH-2.0-FileZilla3.44.2
Trace: Server version: SSH-2.0-OpenSSH
7.5
Trace: Using SSH protocol version 2
Trace: Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Trace: Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
Trace: Host key fingerprint is:
Trace: ssh-ed25519 256 c3:8e:8f:1b:40:e3:dd:a9:9d:7b:27:63:1c:41:85:04 HiZdKQt4nyc8f2cCeVeE+9FQkVU6MEw230j2T181ji0=
Trace: Initialised AES-256 SDCTR client->server encryption
Trace: Initialised HMAC-SHA-256 client->server MAC algorithm
Trace: Initialised AES-256 SDCTR server->client encryption
Trace: Initialised HMAC-SHA-256 server->client MAC algorithm
Trace: Attempting keyboard-interactive authentication
Trace: Server refused keyboard-interactive authentication
Command: Pass: xxx
Trace: Sent password
Trace: Access granted
Trace: Opening session as main channel
Trace: Opened main channel

I have tried several settings to try an force the rebex connection to use the same parameters as the filezilla, but with no luck.

Any suggestions as the log file is not really revealing what the issue is.

Br
Kim

Applies to: Rebex SFTP

1 Answer

0 votes
by (147k points)
edited by

Update: It turned out that this was most likely caused by an issue with the RSA key at the server. Switching Rebex SFTP to use Ed25519 (like FileZilla) solved the problem.

This was not related to Curve25519 key exchange (but in case someone stumbles upon that problem, the old reply below might still be useful.)


Since we added support for Curve25519 key exchange to Rebex SFTP on Windows 10 recently, we have received several error reports such yours, and they always involve a server that claims to be "OpenSSH7.5". This is quite strange, because we test Rebex SFTP against a batch of different OpenSSH versions (including 7.5) and never encountered this ourselves when using Curve25519 key exchange cipher. But apparently, a minority of servers claiming to be "OpenSSH7.5" are incompatible with Curve25519 implementation in Rebex SFTP.

To work around this issue, disable Curve25519 before connecting to this server:

var client = new Sftp();
client.Settings.SshParameters.KeyExchangeAlgorithms &= ~SshKeyExchangeAlgorithm.Curve25519;
client.Connect(...);

We would like to add a built-in workaround for this, but since we don't have access to any server that triggers this error, our options are limited. If you could provide an IP address that we could connect to and reproduce this error (or information about how exactly to set up OpenSSH 7.5 to manifest this issue), it would help us a lot! (The error occurs before authentication, so we would not even need any credentials.)

by (120 points)
Hi Lukas,
Thanks for the reply. I tried the change to the KeyExchangeAlgorithm, and removed all other configurations regarding preferences and trying to hit the magic path to get a connection. Now the log file file reads

2020-05-05 18:59:24.032 INFO FileLogWriter(1)[5] Info: Assembly: Rebex.Common 2020 R1.1 for .NET 4.0-4.8
2020-05-05 18:59:24.032 INFO FileLogWriter(1)[5] Info: Platform: Windows 6.1.7601 64-bit; CLR: 4.0.30319.36543
2020-05-05 18:59:24.032 DEBUG FileLogWriter(1)[5] Info: Culture: da; Windows-1252
2020-05-05 18:59:24.079 INFO Sftp(1)[5] Info: Connecting to 172.26.x.x:22 using Sftp.
2020-05-05 18:59:24.079 INFO Sftp(1)[5] Info: Assembly: Rebex.Sftp 2020 R1.1 for .NET 4.0-4.8
2020-05-05 18:59:24.079 INFO Sftp(1)[5] Info: Platform: Windows 6.1.7601 64-bit; CLR: 4.0.30319.36543
2020-05-05 18:59:24.079 DEBUG Sftp(1)[5] Info: Culture: da; Windows-1252
2020-05-05 18:59:24.110 DEBUG Sftp(1)[5] Proxy: Connecting to 172.26.x.x:22 (no proxy).
2020-05-05 18:59:24.126 DEBUG Sftp(1)[5] Proxy: Connection established.
2020-05-05 18:59:24.157 DEBUG Sftp(1)[5] SSH: Server is 'SSH-2.0-OpenSSH_7.5'.
2020-05-05 18:59:24.188 INFO Sftp(1)[5] SSH: Negotiation started.
2020-05-05 18:59:24.563 DEBUG Sftp(1)[5] SSH: Group exchange.
2020-05-05 18:59:24.578 DEBUG Sftp(1)[5] SSH: Negotiating key.
2020-05-05 18:59:25.031 DEBUG Sftp(1)[5] SSH: Received 4096-bit Diffie-Hellman prime (minimum allowed size is 1024 bits).
2020-05-05 18:59:25.077 ERROR Sftp(1)[7] SSH: Error occured while receiving SSH packet: Rebex.Net.SshException: The connection was closed by the server. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)
   at Rebex.Net.SshSession.qykx(Byte[]& avc)
   at Rebex.Net.SshSession.qylf()
   at Rebex.Net.SshSession.gycv.qyme()
2020-05-05 18:59:25.077 ERROR Sftp(1)[5] SSH: Negotiation failed. The connection was closed by the server.
2020-05-05 18:59:25.077 ERROR Sftp(1)[5] Info: Rebex.Net.SshException: The connection was closed by the server. ---> Rebex.Net.SshException: The connection was closed by the server. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)

The server can only be connected to from a limited number of IP adresses, but I can ask if it would be possible to open up for your IP in their firewall (I have my doubts).

Other suggestions?
Br
Kim
by (147k points)
Oops, this looks like my guess about this being related to Curve25519 key exchange might be wrong. Could you please try setting the KeyExchangeAlgorithms property to this instead?

client.Settings.SshParameters.KeyExchangeAlgorithms =
    SshKeyExchangeAlgorithm.ECDiffieHellmanNistP256 |
    SshKeyExchangeAlgorithm.ECDiffieHellmanNistP384 |
    SshKeyExchangeAlgorithm.ECDiffieHellmanNistP521;
by (120 points)
Hi Lukas,
No change in outcome setting the KeyExchangeAlgorithms to the above three.

2020-05-05 19:55:56.890 INFO Sftp(1)[5] SSH: Negotiation started.
2020-05-05 19:55:57.265 DEBUG Sftp(1)[5] SSH: Negotiating key.
2020-05-05 19:55:57.592 ERROR Sftp(1)[7] SSH: Error occured while receiving SSH packet: Rebex.Net.SshException: The connection was closed by the server. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)
   --- End of inner exception stack trace ---
   at Rebex.Net.SshSession.qykt(Int32 auu, Int32 auv)
   at Rebex.Net.SshSession.qykx(Byte[]& avc)
   at Rebex.Net.SshSession.qylf()
   at Rebex.Net.SshSession.gycv.qyme()
2020-05-05 19:55:57.592 ERROR Sftp(1)[5] SSH: Negotiation failed. The connection was closed by the server.
2020-05-05 19:55:57.608 ERROR Sftp(1)[5] Info: Rebex.Net.SshException: The connection was closed by the server. ---> Rebex.Net.SshException: The connection was closed by the server. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
 
Br
Kim
by (120 points)
I tried to connect with putty sftp - psftp and it too connects without further configuration.

We claim version: SSH-2.0-PuTTY_Release_0.73
Remote version: SSH-2.0-OpenSSH_7.5
Using SSH protocol version 2
No GSSAPI security context available
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 c3:8e:8f:1b:40:e3:dd:a9:9d:7b:27:63:1c:41:85:04
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
Using username "xxx".
Attempting keyboard-interactive authentication
Server refused keyboard-interactive authentication

With psftp it is possible to make a logfile with outgoing and incoming packets. Could this help in figuring out what is going on?

Br
Kim
by (147k points)
Thanks for giving this a try! A PuTTY log with incoming/outgoing packets would be very helpful, especially if you could also provide a Rebex log (with packets). Comparing the two logs should reveal the differences that's triggering the disconnection. To create a Rebex log, use Sftp's LogWriter property (see https://www.rebex.net/kb/logging/ for details, but use LogLevel.Verbose instead of LogLevel.Debug). Thanks!

The content of packets exchanged before authentication should not contain any sensitive data (except IP addresses and such - feel free to remove these), but if you prefer, mail it to support@rebex.net instead of posting the logs here.
by (120 points)
Hi Lukas,
Sent you the logs per email.
Br
Kim
by (147k points)
Thanks for all the logs!

Based on what we have learned so far, it looks like there is something wrong with this particular server’s RSA key.
A PuTTY log with RSA as preferred host key algorithm would make it possible to determine whether this is really the case

To work around the problem, add and register Ed25519 plugin in your application (see https://www.rebex.net/kb/elliptic-curve-plugins/ for details) and force Ed25519 host key algorithm:
    sftp.Settings.SshParameters.HostKeyAlgorithms = SshHostKeyAlgorithm.ED25519;
...