0 votes
by (120 points)

We are trying to connect to an SFTP server that uses ECDH key exchange with curve nistp256 and hash SHA-256 (SHA-NI accelerated) and it fails at negotiation. Here is the Rebex logs:

2022-07-28 11:02:13.177 Opening log file.
2022-07-28 11:02:13.178 INFO FileLogWriter(1)[38] Info: Assembly: Rebex.Common 2017 R6.2 for .NET 4.0-4.7
2022-07-28 11:02:13.178 INFO FileLogWriter(1)[38] Info: Platform: Windows 6.2.9200 32-bit; CLR: 4.0.30319.42000
2022-07-28 11:02:13.178 DEBUG FileLogWriter(1)[38] Info: Culture: en; Windows-1252
2022-07-28 11:02:40.307 INFO Sftp(7)[38] Info: Connecting to xxx:22 using Sftp.
2022-07-28 11:02:40.307 INFO Sftp(7)[38] Info: Assembly: Rebex.Sftp 2017 R6.2 for .NET 4.0-4.7
2022-07-28 11:02:40.307 INFO Sftp(7)[38] Info: Platform: Windows 6.2.9200 32-bit; CLR: 4.0.30319.42000
2022-07-28 11:02:40.318 DEBUG Sftp(7)[38] Info: Culture: en; Windows-1252
2022-07-28 11:02:40.318 DEBUG ProxySocket(4)[38] Proxy: Resolving 'xxx'.
2022-07-28 11:02:40.442 DEBUG ProxySocket(4)[38] Proxy: Connecting to none proxy at xxx.xxx.xxx.xxx:22.
2022-07-28 11:02:40.705 DEBUG Sftp(7)[38] SSH: Server is 'SSH-2.0-mod_sftp/0.9.9'.
2022-07-28 11:02:40.706 INFO Sftp(7)[38] SSH: Negotiation started.
2022-07-28 11:02:40.707 DEBUG Sftp(7)[38] SSH: Negotiating key.
2022-07-28 11:02:40.836 DEBUG Sftp(7)[17] SSH: SSH connection closed.
2022-07-28 11:02:40.842 ERROR Sftp(7)[38] SSH: Negotiation failed. The connection was closed by the server.
2022-07-28 11:02:40.843 ERROR Sftp(7)[38] Info: Rebex.Net.SshException: The connection was closed by the server.
   at Rebex.Net.SshSession.XIA[I,O](SQI`2 I, Int32 O, RQI J, O D, I B, I N)
   at Rebex.Net.SshSession.XIA[I,O](SQI`2 I, O O)
   at Rebex.Net.SshSession.JIA(KQI I)
   at Rebex.Net.LQI.C(SshSession I, Byte[] O, Byte[] J, Byte[] D, Byte[] B, PQI& N, Byte[]& C, SshPublicKey& M)
   at Rebex.Net.SshSession.NIA(Byte[] I)
   at Rebex.Net.SshSession.Negotiate()
   at Rebex.Net.Sftp.MRI.NIA(ARI I, Boolean O)
   at Rebex.Net.Sftp.UD(String I, Int32 O, SshParameters J, ARI D)

Here is the trace log from Filezilla successfully connecting:

Trace:  CControlSocket::SendNextCommand()
Trace:  CSftpConnectOpData::Send() in state 0
Status: Connecting to xxx...
Trace:  Going to execute C:\Program Files\FileZilla FTP Client\fzsftp.exe
Response:   fzSftp started, protocol_version=11
Trace:  CSftpConnectOpData::ParseResponse() in state 0
Trace:  CControlSocket::SendNextCommand()
Trace:  CSftpConnectOpData::Send() in state 3
Command:    open "xxx" 22
Trace:  Looking up host "xxx" for SSH connection
Trace:  Connecting to xxx.xxx.xxx.xxx port 22
Trace:  We claim version: SSH-2.0-FileZilla_3.60.2
Trace:  Connected to xxx.xxx.xxx.xxx
Trace:  Remote version: SSH-2.0-mod_sftp/0.9.9
Trace:  Using SSH protocol version 2
Trace:  Doing ECDH key exchange with curve nistp256 and hash SHA-256 (SHA-NI accelerated)
Trace:  Server also has ssh-dss host key, but we don't know it
Trace:  Host key fingerprint is:
Trace:  ssh-rsa 2048 SHA256:PZyJ2DNQ3JGaqn5MjD3u79EdaQ+vSLMGjJYNHELbTOY
Trace:  CSftpControlSocket::SetAsyncRequestReply
Command:    Trust new Hostkey: Once
Trace:  Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Trace:  Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm
Trace:  Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Trace:  Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm
Status: Using username "xxx". 
Command:    Pass: ********
Trace:  Sent password
Trace:  Access granted
Trace:  Opening main session channel
Trace:  Opened main channel
Trace:  Started a shell/command
Status: Connected to xxx
Trace:  Remote working directory is /
Trace:  CSftpConnectOpData::ParseResponse() in state 3
Trace:  CControlSocket::ResetOperation(0)
Trace:  CSftpConnectOpData::Reset(0) in state 3
Trace:  CFileZillaEnginePrivate::ResetOperation(0)
Trace:  CControlSocket::SendNextCommand()
Trace:  CSftpListOpData::Send() in state 0
Status: Retrieving directory listing...
Trace:  CSftpChangeDirOpData::Send() in state 0
Trace:  CSftpChangeDirOpData::Send() in state 1
Command:    pwd
Response:   Current directory is: "/"
Trace:  CSftpChangeDirOpData::ParseResponse() in state 1
Trace:  CControlSocket::ResetOperation(0)
Trace:  CSftpChangeDirOpData::Reset(0) in state 1
Trace:  CSftpListOpData::SubcommandResult(0) in state 1
Trace:  CControlSocket::SendNextCommand()
Trace:  CSftpListOpData::Send() in state 2
Trace:  CSftpListOpData::Send() in state 3
Command:    ls
Status: Listing directory /
Trace:  CSftpListOpData::ParseResponse() in state 3
Trace:  CControlSocket::ResetOperation(0)
Trace:  CSftpListOpData::Reset(0) in state 3
Status: Directory listing of "/" successful
Trace:  CFileZillaEnginePrivate::ResetOperation(0)

We have manually registered the additional elliptical curve algorithms in our code with:

AsymmetricKeyAlgorithm.Register(EllipticCurveAlgorithm.Create); 
AsymmetricKeyAlgorithm.Register(Curve25519.Create); 
AsymmetricKeyAlgorithm.Register(Ed25519.Create);

Along with registering those encryptions, we set Rebex to allow any type with:

var newConnection = new Sftp
{
    Settings = new SftpSettings
    {
        SshParameters = new SshParameters { AuthenticationMethods = SshAuthenticationMethod.Any, EncryptionAlgorithms = SshEncryptionAlgorithm.Any, HostKeyAlgorithms = SshHostKeyAlgorithm.Any }
    },
    LogWriter = logWriter
};
Applies to: Rebex SFTP
by (147k points)
Rebex SFTP 2017 R6.2 is almost five years old now. Can you please try connecting with the current version of Rebex SFTP to determine whether the issue you are dealing with has already been resolved? Or use our simple https://sshcheck.com online app.
by (120 points)
https://sshcheck.com returned:

The connection was closed by the server.
This happened when we were trying to connect to sftp.exceedlms.com:22.
This result was generated 3 seconds ago.

1 Answer

0 votes
by (147k points)

Please add the following to your Settings.SshParameters:
PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA

Older version of Rebex SFTP (and sshcheck.com) prefer DSS to RSA, but apparently DSS (now deprecated) does not work with your server and triggers connection closure.

Also, please consider upgrading to an up-to-date version of Rebex SFTP. The five-year-old version you are currently using has not been tested with contemporary SFTP servers, and several compatibility issues have been resolved in those five years.

by (120 points)
That did it, thank you!
...