Não é possível conectar-se aos servidores Debian 8 com CuteFTP

3

Acabou de instalar um novo servidor com o sistema Debian8 (jessie). Muitos anos usam o CuteFTP para carregar / sincronizar arquivos no computador doméstico e no servidor usando conexão SFTP. Infelizmente, CuteFTP não pode se conectar a servidores Deabian8:

Disconnect: key exchange failed.
ERROR:>     [22/06/2016 15:10:03] Check security settings; make sure that the username and password are correct, and that the chosen encryption algorithms are supported by server.

Eu instalei o WinSCP e não há problemas para se conectar ao servidor. Apenas CuteFTP acn não conecta. Mas eu quero usar o CuteFTP porque ele tem sincronização agendada, várias possibilidades de upload / download simultâneo, etc.

Alguma idéia de porque o CuteFTP não consegue se conectar aos servidores Debian8?

* CuteFTP 9.0 - construir Jun 25 2013 *

STATUS:>    [22/06/2016 15:10:02] Getting listing ""...
STATUS:>    [22/06/2016 15:10:02] Connecting to SFTP server... XXX.XXX.XXX.XXX:1641 (ip = XXX.XXX.XXX.XXX)...
ERROR:>     [22/06/2016 15:10:03] Disconnect: key exchange failed.
ERROR:>     [22/06/2016 15:10:03] Check security settings; make sure that the username and password are correct, and that the chosen encryption algorithms are supported by server.
STATUS:>    [22/06/2016 15:10:03] Can't connect to XXX.XXX.XXX.XXX:1641.
STATUS:>    [22/06/2016 15:10:03] SFTP connection closed.

LOG:

18:28:24.085 Sending version: 5353482D322E302D312E3832207373686C69623A20436C69656E74536674700D0A

18:28:24.135 Sending SSH_MSG_KEXINIT (450 bytes, seq nr 0)
Data: 14D0989582300732FE96FA99757E553326000000596469666669652D68656C6C6D616E2D67726F757031342D736861312C6469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D736861312C6469666669652D68656C6C6D616E2D67726F7570312D736861310000000F7373682D7273612C7373682D6473730000005A336465732D6362632C617263666F75722C636173743132382D6362632C74776F666973682D6362632C626C6F77666973682D6362632C74776F666973683132382D6362632C6165733132382D6362632C6165733235362D6362630000005A336465732D6362632C617263666F75722C636173743132382D6362632C74776F666973682D6362632C626C6F77666973682D6362632C74776F666973683132382D6362632C6165733132382D6362632C6165733235362D6362630000002B686D61632D6D64352C686D61632D736861312C686D61632D736861312D39362C686D61632D6D64352D39360000002B686D61632D6D64352C686D61632D736861312C686D61632D736861312D39362C686D61632D6D64352D3936000000097A6C69622C6E6F6E65000000097A6C69622C6E6F6E6500000000000000000000000000

18:28:24.137 GsSshClientManager::OnKexStart: Starting first key exchange

18:28:24.538 PacketDecoder RECEIVED: 5353482D322E302D4F70656E5353485F362E3770312044656269616E2D352B6465623875320D0A0000026C0914F58C399FF69574E104443DF5AC29F83E000000636469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D7368613235362C6469666669652D68656C6C6D616E2D67726F757031342D736861312C6469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D73686131000000137373682D7273612C7373682D65643235353139000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D637472000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D6374720000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D643136300000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D64313630000000156E6F6E652C7A6C6962406F70656E7373682E636F6D000000156E6F6E652C7A6C6962406F70656E7373682E636F6D00000000000000000000000000000000000000000000

18:28:24.547 GsSshClientManager::OnInStateChange: Server version string: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
Protocol version: 2.0

18:28:24.549 Received SSH_MSG_KEXINIT (610 bytes, seq nr 0)
Data: 14F58C399FF69574E104443DF5AC29F83E000000636469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D7368613235362C6469666669652D68656C6C6D616E2D67726F757031342D736861312C6469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D73686131000000137373682D7273612C7373682D65643235353139000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D637472000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D6374720000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D643136300000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D64313630000000156E6F6E652C7A6C6962406F70656E7373682E636F6D000000156E6F6E652C7A6C6962406F70656E7373682E636F6D00000000000000000000000000

18:28:24.551 Will act on first key exchange method packet

18:28:24.552 GsSshClientManager::OnInStateChange: Server's KEXINIT packet:
cookie:         F58C399FF69574E104443DF5AC29F83E
kex algs:       diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
host key algs:  ssh-rsa,ssh-ed25519
c2s encr algs:  [email protected],[email protected],aes256-ctr,aes128-ctr
s2c encr algs:  [email protected],[email protected],aes256-ctr,aes128-ctr
c2s mac algs:   [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
s2c mac algs:   [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
c2s cmpr algs:  none,[email protected]
s2c cmpr algs:  none,[email protected]
c2s languages:  
s2c languages:  
1. kex follows: false


18:28:24.554 Sending SSH_MSG_DISCONNECT (72 bytes, seq nr 1)
Data: 0100000003000000396661696C656420746F206E65676F746961746520636C69656E7420746F2073657276657220656E6372797074696F6E20616C676F726974686D00000002656E

18:28:24.556 DoLoopThread exit: Disconnect packet sent:
Disconnect reason: SSH_DISCONNECT_KEY_EXCHANGE_FAILED
Disconnect description: failed to negotiate client to server encryption algorithm
Disconnect language: en


18:28:25.220 GsSftpImplementation::~GsSftpImplementation
    
por aigffmss 22.06.2016 / 16:22

2 respostas

3

Olhando para o seu arquivo de log, aparentemente, 3 algoritmos de troca de chaves estão disponíveis:

diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1

Com o diffie-hellman-group-exchange-sha256 sendo o preferencial, como anunciado pelo servidor.

O host tem provavelmente 2 chaves: uma chave RSA e uma chave ED25519. A chave ED25519 não pode ser usada com nenhum dos 3 algoritmos KEX anunciados, portanto estou assumindo que seu cliente CuteFTP está tentando KEX na chave RSA, e deve fazê-lo através do KEX baseado em SHA256.

Até onde sei, o CuteFTP permite que você configure os algoritmos Encryption e HMAC, mas não possui uma configuração específica para definir a precedência dos algoritmos KEX. Dito isto, eu recomendo que você atualize para a versão mais recente do CuteFTP e veja se ele resolve o problema, ou pare de usar o CuteFTP.

É claro que você também pode alterar a ordem de preferência dos algoritmos KEX no servidor, mas como os dois baseados em SHA1 agora são considerados inseguros (e não compatíveis com PCI), eu não recomendo fazê-lo. É melhor melhorar o lado do cliente, em vez de enfraquecer as configurações de segurança do servidor.

    
por 22.06.2016 / 19:52
1

Esta é a nascente da Globalscape

=================== Olá,

Com base nas informações fornecidas, Acredito que a falha venha do CuteFTP e não seja capaz de usar o SHA2 link

Desconhece-se neste momento se o CuteFTP 9 será revisado para suportar novas cifras e MACS.

Então, não compre o CuteFTP. Eles nem sabem se vão resolver o problema.

    
por 30.06.2016 / 09:07