I get the error message "Key exchange failed; could not agree on key exchange parameters”

Dana Anderson -

What does it mean?

This error means that the client and server couldn't agree on an algorithm for key exchange, encryption, or MAC integrity checking. During an initial SSH SFTP connection, each side of the connection sends a list of supported algorithms.  There has to be at least one match in each category between the client and server for the connection to proceed.  If you receive this message then that means there was no shared algorithm in at least one of key exchange, encryption, or MAC integrity checking.  


How do I find the algorithms?

Turn on DEBUG mode for screen logging (click on the bug icon on the log page of the desktop UI) and try connecting again. The server screen log will display what the client and server support, and you can see where they don't agree.


 Above example of no common algorithms.


Client Proposed: Kex: (ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1) Host Key: (ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521) C2S : (aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc), (hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96), (none) S2C : (aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc), (hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96), (none)

Server Proposed: Kex: (ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1) Host Key: (ssh-rsa) C2S : (aes256-ctr,aes256-cbc), (hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,,hmac-md5), (none) S2C : (aes256-ctr,aes256-cbc), (hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,,hmac-md5), (none)


Above is a actual key exchange message. The connection is failing here because the server has enabled AES 256 CTR and AES 256 CBC mode for available ciphers, but the client only supports AES 128 CTR and AES 128 CBC.


How do I correct this?

You can enable the necessary ciphers from the Advanced Security dialog. It's accessible from the Summary page in the latest 8.0 release.  A Cerberus FTP Server Windows Service restart from the services control panel is required after changing any SSH connection parameters for those changes to take affect.



Have more questions? Submit a request