External Storage does not support SFTP/SSH connections with ciphers EC-Ciphers (Ed25519 / Ed449 / Curve25519 / Curve449, ECDSA / ECDH) [phpseclib]

[Constey]

Steps to reproduce

1. Add an External Storage with SFTP or SSH and modern EC-Ciphers (Ed25519 / Ed449 / Curve25519 / Curve449, ECDSA / ECDH)
2. Error Message appears, Mounting not possible

Expected behaviour

The SFTP/SSH Server should be mounted as external storage and file browsing is available.

Actual behaviour

An Error Message appears, mounting is not possible.
Connections to SFTP Servers using older ciphers (RSA for example) works nice. But all modern ciphers based on elliptic curves are not supported.

Issue comes from:

As searching in the logs i've found that the related library is phpseclib.
Looking into: "/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php" brings up the supported ciphers:
use phpseclib\Crypt\Base;
use phpseclib\Crypt\Blowfish;
use phpseclib\Crypt\Hash;
use phpseclib\Crypt\Random;
use phpseclib\Crypt\RC4;
use phpseclib\Crypt\Rijndael;
use phpseclib\Crypt\RSA;
use phpseclib\Crypt\TripleDES;
use phpseclib\Crypt\Twofish;
use phpseclib\Math\BigInteger; // Used to do Diffie-Hellman key exchange and DSA/RSA signature verification.
use phpseclib\System\SSH\Agent;

There is a new version of phpseclib in version 3.0 that supports those new ciphers as of: https://github.com/phpseclib/phpseclib / https://github.com/phpseclib/phpseclib/releases
Is there any schedule when this gets updated?

Server configuration

Operating system: Ubuntu 20.04.1 LTS _ Linux svnextcloud01 5.4.0-64-generic #72-Ubuntu SMP Fri Jan 15 10:27:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Web server: nginx version: nginx/1.19.6

Database: mariadb

PHP version: PHP 7.4.14 (cli) (built: Jan 13 2021 08:04:47) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.14, Copyright (c), by Zend Technologies

** OpenSSL Version: ** OpenSSL 1.1.1i 8 Dec 2020

ownCloud version: 20.0.5

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: nextcloud.com

Signing status (ownCloud 9.0 and above): all green

No errors have been found.

The content of config/config.php:

should be not related

List of activated apps: External storage support 1.11.1

Enabled:
  - accessibility: 1.6.0
  - activity: 2.13.4
  - admin_audit: 1.10.0
  - cloud_federation_api: 1.3.0
  - comments: 1.10.0
  - contactsinteraction: 1.1.0
  - dav: 1.16.2
  - federatedfilesharing: 1.10.2
  - federation: 1.10.1
  - files: 1.15.0
  - files_external: 1.11.1
  - files_pdfviewer: 2.0.1
  - files_rightclick: 0.17.0
  - files_sharing: 1.12.2
  - files_trashbin: 1.10.1
  - files_versions: 1.13.0
  - files_videoplayer: 1.9.0
  - logreader: 2.5.0
  - lookup_server_connector: 1.8.0
  - nextcloud_announcements: 1.9.0
  - notifications: 2.8.0
  - oauth2: 1.8.0
  - password_policy: 1.10.1
  - photos: 1.2.3
  - privacy: 1.4.0
  - provisioning_api: 1.10.0
  - recommendations: 0.8.0
  - serverinfo: 1.10.0
  - settings: 1.2.0
  - sharebymail: 1.10.0
  - support: 1.3.0
  - systemtags: 1.10.0
  - text: 3.1.0
  - theming: 1.11.0
  - twofactor_backupcodes: 1.9.0
  - updatenotification: 1.10.0
  - user_ldap: 1.10.2
  - user_status: 1.0.1
  - viewer: 1.4.0
  - weather_status: 1.0.0
  - workflowengine: 2.2.0
Disabled:
  - dashboard
  - encryption
  - firstrunwizard
  - survey_client

Are you using external storage, if yes which one: SFTP, SSH

Are you using encryption: yes

Are you using an external user-backend, if yes which one: not relevant

Client configuration

Browser: Google Chrome latest

Operating system: Windows

Logs

Web server error log

not relevant

ownCloud log (data/owncloud.log)

{"reqId":"os28vzT8HBzPonUaVWbU","level":3,"time":"2021-01-27T09:30:10+01:00","remoteAddr":"172.23.225.13","user":"admin","app":"PHP","method":"PUT","url":"/apps/files_external/globalstorages/3","message":{"Exception":"Error","Message":"No compatible key exchange algorithms found at /var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php#1537","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1537,"function":"user_error"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1288,"function":"_key_exchange","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":4797,"function":"_connect","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":132,"function":"getServerPublicHostKey","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":166,"function":"getConnection","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/MountConfig.php","line":264,"function":"test","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/StoragesController.php","line":258,"function":"getBackendStatus","class":"OCA\\Files_External\\MountConfig","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/GlobalStoragesController.php","line":180,"function":"updateStorageStatus","class":"OCA\\Files_External\\Controller\\StoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":169,"function":"update","class":"OCA\\Files_External\\Controller\\GlobalStoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":100,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":152,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1008,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":91,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","version":"20.0.5.2"}
{"reqId":"os28vzT8HBzPonUaVWbU","level":3,"time":"2021-01-27T09:30:10+01:00","remoteAddr":"172.23.225.13","user":"admin","app":"PHP","method":"PUT","url":"/apps/files_external/globalstorages/3","message":{"Exception":"Error","Message":"No compatible key exchange algorithms found at /var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php#1537","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1537,"function":"user_error"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1288,"function":"_key_exchange","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":2141,"function":"_connect","class":"phpseclib\\Net\\SSH2","type":"->"},{"function":"_login","class":"phpseclib\\Net\\SSH2","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SFTP.php","line":414,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":144,"function":"login","class":"phpseclib\\Net\\SFTP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":166,"function":"getConnection","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/MountConfig.php","line":264,"function":"test","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/StoragesController.php","line":258,"function":"getBackendStatus","class":"OCA\\Files_External\\MountConfig","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/GlobalStoragesController.php","line":180,"function":"updateStorageStatus","class":"OCA\\Files_External\\Controller\\StoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":169,"function":"update","class":"OCA\\Files_External\\Controller\\GlobalStoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":100,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":152,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1008,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":91,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","version":"20.0.5.2"}
{"reqId":"OiK5Aw3tiCXoem6WULCN","level":0,"time":"2021-01-27T09:30:17+01:00","remoteAddr":"172.23.225.13","user":"admin","app":"contacts","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","version":"20.0.5.2"}

[JammingBen]

There is already a PR regarding the phpseclib upgrade to 3.0.3 (#38251). It's currently in a internal testing process and will probably ship with the new version 10.7. We don't have an exact release date for 10.7 yet, but I guess it will be something around march this year.

[terrafrost]

One thing you could probably do in the meantime: fork owncloud and change their composer.json to require phpseclib/phpseclib2_compat:~1.0 and phpseclib/phpseclib:~3.0.

Depending on how owncloud is using phpseclib/phpseclib:~2.0 that should probably get you all the "advanced cipher" support that 3.0 has!