Ask a Question

How to authenticate and connect to CB SFTP server using Rebex using key exchange algorithms?

0 votes
by (480 points)

I am connecting to CB sftp server via Rebex. Rebex dll versions used are as below 2.0.4860.0
5.0.7501.0
7.0.8756.0

Key exchange Algorithms used at CB sftp server are as below
curve25519-sha256
curve25519-sha256@libssh.org

ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
sntrup761x25519-sha512@tinyssh.org

diffie-hellman-group18-sha512

Currently we are connecting to CB server with IP address and port. Also authentication based on username and password. How to do the authentication while authenticate and connect to CB sftp server using above key exchange algorithms.

Code to connect to CB sftp server are as below if connection state is active 

                objSFTP.Connect(sSFTPHost[0], int.Parse(sSFTPHost[1]));
                objSFTP.Login(sSFTPHost[2], sSFTPHost[3]);
Applies to: Tiny SFTP Server, Rebex SFTP
by (480 points)
So all Rebex dlls with version 5.0.7501.0 or above will support most of the below Key exchange Algorithms  and if we specify any of the key exchange algorithm code level connectivity will be fine. please confirm
Key exchange Algorithms
curve25519-sha256
curve25519-sha256@libssh.org

ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
sntrup761x25519-sha512@tinyssh.org

diffie-hellman-group18-sha512
by (144k points)

1 Answer

0 votes
by (144k points)

Rebex SFTP version 2.0.4086 does support any of those ciphers. Versions 5.0.7501.0 and 7.0.8756.0 support most of them. For details, see my answer here:

https://forum.rebex.net/22712/client-support-cipher-suites-algorithms-connecting-server?show=22714#a22714

by (480 points)
How to connect to the sftp server using any of the above key exchange algorithm in c# using Rebex  5.0.7501.0 and 7.0.8756.0
by (144k points)
Use the following code to ensure that one of the "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256" ciphers will be used:

    var client = new Sftp();
    client.Settings.SshParameters.KeyExchangeAlgorithms =
        SshKeyExchangeAlgorithm.Curve25519 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP256 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP384 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP521;
    client.Connect("test.rebex.net");
    client.Login("demo", "password");
by (480 points)
Whether we will need public key private key authentication as part of this and make any other code change apart from the above
by (144k points)
You will need to verify the server key before calling the Login method (see https://www.rebex.net/sftp.net/features/security.aspx#verify-fingerprint for details).

If you authenticate the client using a key as well, you will have to use a different overload of the Login method (see https://www.rebex.net/sftp.net/features/authentication.aspx#public-key for details).
by (480 points)
if the fingerprint is not provided from cb sftp server do we need to validate as mentioned above during connectivity process
by (144k points)
Ideally, you would get the fingerprint (or the server public key) from the server maintainer along with the rest of server info. It's important to validate the fingerprint, because otherwise your application would be open to man-in-the-middle attacks.

If the fingerprint (or server public key) is now known in advance, many SFTP/SSH clients use the approach where they prompt the user on first connection to a specific server and ask them whether the fingerprint should be accepted. If the user accepts it, the client permanently associates it with the server address and validates it the next time a connection to the same server is established.
Alternatively (or in addition to this approach) you might use our https://sshcheck.com/ service to show fingerprints of server keys if the server is accessible from the internet.
by (480 points)
Do we need to specify the key exchange algorithms at server side before connecting to the server if those details are provided. Will the connectivity fail if the key exchange algorithms are not specified code level.  

client.Settings.SshParameters.KeyExchangeAlgorithms =
        SshKeyExchangeAlgorithm.Curve25519 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP256 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP384 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP521;
by (480 points)
Will the server connectivity fail if the key exchange algorithms are not specified code level as below. Is there any default algorithms in rebex sftp object .  

client.Settings.SshParameters.KeyExchangeAlgorithms =
        SshKeyExchangeAlgorithm.Curve25519 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP256 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP384 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP521;
by (144k points)
Curve25519 (corresponds to "curve25519-sha256" and "curve25519-sha256@libssh.org") and ECDiffieHellmanNistP256 (corresponds to "ecdh-sha2-nistp256") are enabled by default (on up-to-date operating systems). ECDiffieHellmanNistP384 and ECDiffieHellmanNistP521 are not. An SSH negotiation will fail if there there is none of the key exchange algorithm is enabled at both the client and the server.
by (480 points)
So can we connect to the server without specifying the key exchange algorithm using sshparameters since curev25519-sha256 and ecdh-sha2-nistp256 are enabled by default.
Some of my client applications are  running on windows server 2012, windows server 2016, windows 2019 etc. Please update whether below code and simply upgraded Rebex with version 5.0.7501.0  or higher will work  or not. please update  at the earliest.

 objSFTP.Connect(sSFTPHost[0], int.Parse(sSFTPHost[1]));
                objSFTP.Login(sSFTPHost[2], sSFTPHost[3]);

Key exchange Algorithms supported at CB sftp server shared to us are as below
curve25519-sha256
curve25519-sha256@libssh.org

ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
sntrup761x25519-sha512@tinyssh.org

diffie-hellman-group18-sha512
by (144k points)
These algorithms are supported in Rebex v5.0.7501 Windows Server 2016 (and Windows 10 version 1607) or higher:
  curve25519-sha256@libssh.org
  ecdh-sha2-nistp521
  ecdh-sha2-nistp384
  ecdh-sha2-nistp256

On Window Server 2012 (and Windows 8.1 or earlier), these four algorithms are only supported when a plugin is used - see https://www.rebex.net/kb/elliptic-curve-plugins/ for details.
by (480 points)
will the connectivity work without the below code
client.Settings.SshParameters.KeyExchangeAlgorithms =
        SshKeyExchangeAlgorithm.Curve25519 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP256 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP384 |
        SshKeyExchangeAlgorithm.ECDiffieHellmanNistP521;
by (144k points)
That depends on:
- Which key exchange algorithms are actually enabled at the server.
- The client operating system.
- Whether the Curve25519 plugin has been registered.
...