What does it mean?
This error means that the client and server couldn't agree on an algorithm for key exchange, encryption, or MAC integrity checking. During an initial SSH SFTP connection, each side of the connection sends a list of supported algorithms. There has to be at least one match in each category between the client and server for the connection to proceed. If you receive this message then that means there was no shared algorithm in at least one of key exchange, encryption, or MAC integrity checking.
How do I find the algorithms?
In versions 9.0.6.1 and up. The Cerberus log now prints out the reason the key exchange failed and the algorithms presented from the server and the client during the connection attempt.
No common C2S mac: [S: hmac-ripemd160@openssh.com,]
[C: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com]
No common S2C mac: [S: hmac-ripemd160@openssh.com,]
[C: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com]
Key exchange failed: Could not agree on key exchange parameters
Log example (v9.0.6.1)
In versions 9.0.6.0 and below. Turn on DEBUG mode for screen logging (click on the bug icon on the log page of the desktop UI) and try connecting again. The server screen log will display what the client and server support, and you can see where they don't agree.
Example of no common algorithms (v9.0.6.0)
Client Proposed: Kex: (ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1) Host Key: (ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521) C2S : (aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc), (hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96), (none) S2C : (aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc), (hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96), (none)
Server Proposed: Kex: (ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1) Host Key: (ssh-rsa) C2S : (aes256-ctr,aes256-cbc), (hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-md5), (none) S2C : (aes256-ctr,aes256-cbc), (hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-md5), (none)
Above is an actual key exchange message. The connection is failing here because the server has enabled AES 256 CTR and AES 256 CBC mode for available ciphers, but the client only supports AES 128 CTR and AES 128 CBC.
How do I correct this?
You can enable the necessary SSH ciphers from the Advanced SSH SFTP dialog. The Advanced Security dialog is accessible from the Protocols page of the Server Manager in the latest Cerberus FTP Server release.
NOTE: A Cerberus FTP Server Windows Service restart from the services control panel is required after changing any SSH connection parameters for changes to take effect for versions 9.0.6.0 and below.
Comments
0 comments
Please sign in to leave a comment.