Support for key exchange algorithm diffie-hellman-group-exchange-sha256

[cyberduck]

cb22c3e created the issue

After latest Snowden leaks it seems that default OpenSSH settings are no longer acceptable for secure communication. See:
https://stribika.github.io/2015/01/04/secure-secure-shell.html

Having the following lines in sshd_config in server side prevents Cyberduck connecting with a error message:

Connection Failed

Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-hellman-group1-sha1] and [curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256]. The connection attempt was rejected. The server may be down, or your network may not be properly configured

I get no entries to log drawer.

Sshd config on server side:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

At least by the look of it, diffie-helman-group-exchange-sha256 and curve25519-sha256@libssh.org are enabled in these kex settings, so my guess is that the incompatibility is either due lack of appropriate ciphers or a bug in kex implementation.

I'm connecting to OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13

[cyberduck]

@dkocher commented

Can you verify that the connection also fails using the latest snapshot build available.

[cyberduck]

cb22c3e commented

I checked with the latest Version 4.7 (16463) and it fails with the same error message.

For example my OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 that is integrated with OSX works without a hitch.

[cyberduck]

@dkocher commented

The negotiation fails because we find no matching key exchange algorithm. We currently support diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.

[cyberduck]

a803c5d commented

my findings

Cyberduck does not provide HMAC and key-exchange algorithms yet, that are required to access SSH servers that have been configured following the mentioned blog entry.

-longer description*

My SSH server is hardened the same way. I checked with 4.7 and had no luck connecting.
First error was "no matching mac found"

no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com [preauth]

I re-enabled "hmac-sha2-512" in sshd settings /etc/ssh/sshd_config:

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512

Now sshd complains about not being able to agree upon a key exchange method

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 [preauth]
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: kex_parse_kexinit: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc [preauth]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 [preauth]
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none [preauth]
debug2: mac_setup: setup hmac-sha2-512 [preauth]
debug2: kex: client->server aes128-ctr hmac-sha2-512 zlib@openssh.com [preauth]
Unable to negotiate a key exchange method [preauth]

Cyberduck does not provide the hardened key exchange methods "curve25519-sha256@libssh.org" nor "diffie-hellman-group-exchange-sha256".
So if you want to connect to your SSH server, you need to use a less secure key exchange method. Fortunately Cyberduck's error dialog reveals possible algorithms. I choose "diffie-hellman-group14-sha1". So tweak your SSH settings in case you need to access your server with Cyberduck:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

[cyberduck]

@dkocher commented

See also #8528.

[cyberduck]

2ca569e commented

Any updates on this issue?

[cyberduck]

@dkocher commented

Referencing sshj12083.

[cyberduck]

@dkocher commented

Upstream fix.

[cyberduck]

@dkocher commented

In 18434.