Error Key exchange failed. Server signature is not valid using connect in c#

0 votes
asked Apr 2, 2019 by giovanna (120 points)

i have tried to do a conncetion in c# (visual studio 2012) using this code that give an error

protected Rebex.Net.IFtp _ftpClient;

public override void Connect()
        Sftp _sftp = (Sftp)_ftpClient;

            Task connect = _sftp.ConnectAsync(_params.HOST, 
            while (!connect.IsCompleted)

            if (connect.IsFaulted)
                throw connect.Exception;

but ConnectAsync give me this error:
Key exchange failed. Server signature is not valid

i'm using rebex: Rebex.Sftp.dll, v3.0.4981.0
thanks a lot

commented Apr 2, 2019 by Lukas Pokorny (109,670 points)
We would need additional information to be able to tell what is going on.
However, the version of Rebex SFTP you use is almost 6 years old - since then, we have made numerous compatibility improvements and fixed some bugs. Does the current version of Rebex SFTP still fail in the same way?
commented Apr 2, 2019 by giovanna (120 points)
I have tried also with version Rebex.Sftp.dll, v3.0.5298.0
but gives same error.
I don't know if my code is correct.
using filezilla works fine but i have added 2 keys (giving only path)
in my code i don't know i can do it because to setting new SshPrivateKey ask path and password but i have not password for this file and then i have two keys (one is myFile.ppk and one is myFile.osh)

1 Answer

0 votes
answered Apr 2, 2019 by Lukas Pokorny (109,670 points)
When third-party clients work fine but Rebex SFTP throws an exception related to server signature, this is often caused by the difference in host key algorithm preferrence. Rebex SFTP still prefers DSA, while most other SFTP clients prefer RSA. Try preferring RSA as well by adjusting the following setting before calling the Connect method:
    client.Settings.SshParameters.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA;
(where 'client' is an instance of Sftp class).

This said, Rebex SFTP v3.0.5298.0 is still almost 5 years old. If changing the host key algorithm preference doesn't solve the problem, it would be useful to try the latest trial version to see whether it makes any difference.
commented Apr 2, 2019 by giovanna (120 points)
in this way connect is started but give another error when i try to do a login but it's probably my code is not corrected.
I have two keys to add with a path, how do it?
now i'm using this code but gives error:
 SshPrivateKey privateKey = new SshPrivateKey(_params.CertificatePath, _params.CertificatePassphrase);
 _sftp.Login(_params.USR, _params.PWD, privateKey);

where _params.CertificatePath is path of file.ppk and  CertificatePassphrase is path of file.osh (path i have add in filezille and works) but i have this error:

A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect.
commented Apr 3, 2019 by Lukas Pokorny (109,670 points)
That error indicates that the server rejected the authentication attempt. Unfortunately, the SSH protocol doesn’t make it possible for the client to determine the exact reason, so the actual cause cannot be reported by the client. The only way to determine the cause is to check the server log which should state clearly why it rejected client’s authentication attempt.

However, in most cases, when Rebex SFTP triggers the “A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect” exception, a wrong username or public key is almost always the cause. Other possible causes include temporary authentication outage at the server (seems unlikely) or some kind of incompatibility (possible but rare).

To address the problem, try following these steps:

1.    Double-check once more that you are in fact connecting to the same server, same port, using the same username, password and key.

2.    If no misconfiguration is discovered, see if it’s possible to check out the server log to see why it is rejecting the authentication attempts.

3.    If this is not possible or doesn’t reveal any clues, try experimenting a bit. First, if authenticating using both a public key and a password (this does not refer to the private key password), try submitting the password before the public key:
                sftp.Settings.TryPasswordFirst = true;

4.    Otherwise (or if the above doesn't help), try announcing the public key to the server before attempting authentication:
                sftp.Settings.EnsureKeyAcceptable = true;

5.    Of that doesn't help either, try enable signature padding to rule out the possibility that the server suffers from a padding bug in RSA signature validation:
                sftp.Settings.EnableSignaturePadding = true; // if this doesn’t help, make sure to remove this!

6.    If nothing above helps, try using a third-part SFTP client (such as WinSCP) that can create a verbose communication log. Then compare that with the Rebex log to see whether there is any difference in the way the two clients try authenticating. We can help with this. (As far as I know, Filezilla cannot produce such verbose log.)
commented Apr 3, 2019 by giovanna (120 points)
can you post me a code example to add two keys with path? (as in filezille where i have add slecting file )
because i think problem is in this part but i don't know password of these keys i have only two files and in filezille i have only added in key setting and then works fine.
can you give me an example with path?
thanks a lot
commented Apr 3, 2019 by Lukas Pokorny (109,670 points)
Rebex SFTP doesn't make it possible to pass two SSH private keys for key-based user authentication at the same time. The caller has to choose a single key to use. Of course, once the key is rejected, you can try the other one.
commented Apr 3, 2019 by giovanna (120 points)
and if i add one key, do i can add without password?
commented Apr 3, 2019 by Lukas Pokorny (109,670 points)
I'm not quite sure what is meant by "add one key" - when authenticating the client using a key, you are not 'adding' anything. You are just passing the key to Sftp object's Login method to be used for client authentication. This said, please note that:
- The Login method accepts an instance of SshPrivateKey that has already been loaded. Whether or not the key file has been encrypted or not is no longer relevant at this point.
- There are overaloads Login method that accept: a) userName+password b) userName+privateKey c) userName+password+privateKey. The difference between (b) and (c) is this: In (b), the client attempts to authenticate using only the private key. In (c), the client attempts to authenticate using both the private key and the password. But that password is the user's password at the server (it's not related to the password used to encrypt the private key file).