刚刚安装了Debian8(jessie)系统的新服务器。 多年来使用CuteFTP上传/同步家庭计算机和服务器上的文件使用SFTP连接。 不幸的是,CuteFTP无法连接到Deabian8服务器:
Disconnect: key exchange failed. ERROR:> [22/06/2016 15:10:03] Check security settings; make sure that the username and password are correct, and that the chosen encryption algorithms are supported by server. 我安装了WinSCP,连接到服务器没有问题。 只是CuteFTP acn不连接。 但我想使用CuteFTP,因为它有预定的同步,多个同时上传/下载的可能性等。
任何想法为什么CuteFTP无法连接到Debian8服务器?
* CuteFTP 9.0 – build立2013年6月25日*
STATUS:> [22/06/2016 15:10:02] Getting listing ""... STATUS:> [22/06/2016 15:10:02] Connecting to SFTP server... XXX.XXX.XXX.XXX:1641 (ip = XXX.XXX.XXX.XXX)... ERROR:> [22/06/2016 15:10:03] Disconnect: key exchange failed. ERROR:> [22/06/2016 15:10:03] Check security settings; make sure that the username and password are correct, and that the chosen encryption algorithms are supported by server. STATUS:> [22/06/2016 15:10:03] Can't connect to XXX.XXX.XXX.XXX:1641. STATUS:> [22/06/2016 15:10:03] SFTP connection closed.
日志:
18:28:24.085 Sending version: 5353482D322E302D312E3832207373686C69623A20436C69656E74536674700D0A 18:28:24.135 Sending SSH_MSG_KEXINIT (450 bytes, seq nr 0) Data: 18:28:24.137 GsSshClientManager::OnKexStart: Starting first key exchange 18:28:24.538 PacketDecoder RECEIVED: 18:28:24.547 GsSshClientManager::OnInStateChange: Server version string: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2 Protocol version: 2.0 18:28:24.549 Received SSH_MSG_KEXINIT (610 bytes, seq nr 0) Data: 18:28:24.551 Will act on first key exchange method packet 18:28:24.552 GsSshClientManager::OnInStateChange: Server's KEXINIT packet: cookie: F58C399FF69574E104443DF5AC29F83E kex algs: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 host key algs: ssh-rsa,ssh-ed25519 c2s encr algs: [email protected],[email protected],aes256-ctr,aes128-ctr s2c encr algs: [email protected],[email protected],aes256-ctr,aes128-ctr c2s mac algs: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 s2c mac algs: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 c2s cmpr algs: none,[email protected] s2c cmpr algs: none,[email protected] c2s languages: s2c languages: 1. kex follows: false 18:28:24.554 Sending SSH_MSG_DISCONNECT (72 bytes, seq nr 1) Data: 0100000003000000396661696C656420746F206E65676F746961746520636C69656E7420746F2073657276657220656E6372797074696F6E20616C676F726974686D00000002656E 18:28:24.556 DoLoopThread exit: Disconnect packet sent: Disconnect reason: SSH_DISCONNECT_KEY_EXCHANGE_FAILED Disconnect description: failed to negotiate client to server encryption algorithm Disconnect language: en 18:28:25.220 GsSftpImplementation::~GsSftpImplementation
看看你的日志文件,显然有3个关键的交换algorithm可用:
diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
以diffie-hellman-group-exchange-sha256为优先级,如服务器所宣传的那样。
主机可能有两个密钥:一个RSA密钥和一个ED25519密钥。 ED25519密钥不能与3个KEXalgorithm中的任何一个一起使用,所以我假设你的CuteFTP客户端正试图在RSA密钥上KEX,并且应该通过基于SHA256的KEX来实现。
据我所知,CuteFTP允许你configurationencryption和HMACalgorithm,但没有一个特定的configuration来设置KEXalgorithm的优先级。 这说我build议你更新到最新版本的CuteFTP,看看它是否解决了这个问题,或停止使用CuteFTP。
当然,你也可以改变服务器上KEXalgorithm的优先顺序,但是由于两个基于SHA1的algorithm现在被认为是不安全的(而不是PCI兼容),我不build议这样做。 改善客户端,而不是削弱服务器的安全设置。
这是Globalscape的鼻子
===================你好,
根据所提供的信息,我认为失败来自CuteFTP,它不能使用SHA2 http://help.globalscape.com/help/cuteftp9/learning_about_ssh2.htm
所以,不要购买CuteFTP。 他们甚至不知道是否要解决这个问题。