Having the following lines in sshd_config in server side prevents Cyberduck connecting with a error message:
Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-hellman-group1-sha1] and [email@example.com, diffie-hellman-group-exchange-sha256]. The connection attempt was rejected. The server may be down, or your network may not be properly configured
At least by the look of it, diffie-helman-group-exchange-sha256 and firstname.lastname@example.org are enabled in these kex settings, so my guess is that the incompatibility is either due lack of appropriate ciphers or a bug in kex implementation.
I'm connecting to OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13
The text was updated successfully, but these errors were encountered:
Cyberduck does not provide HMAC and key-exchange algorithms yet, that are required to access SSH servers that have been configured following the mentioned blog entry.
My SSH server is hardened the same way. I checked with 4.7 and had no luck connecting.
First error was "no matching mac found"
no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 server email@example.com,firstname.lastname@example.org,email@example.com,firstname.lastname@example.org [preauth]
I re-enabled "hmac-sha2-512" in sshd settings /etc/ssh/sshd_config:
Cyberduck does not provide the hardened key exchange methods "email@example.com" nor "diffie-hellman-group-exchange-sha256".
So if you want to connect to your SSH server, you need to use a less secure key exchange method. Fortunately Cyberduck's error dialog reveals possible algorithms. I choose "diffie-hellman-group14-sha1". So tweak your SSH settings in case you need to access your server with Cyberduck: