extra algorithms needed

imc67

SFTPGO is really handy! I use it as a central location for "IOT" devices to make backups to. The very good thing is that you can create a (manual) account for every device. From Admin view I created one "backups" directory with for each IOT account a subdirectory, this subdirectory is attached as a virtual directory to a specific account. This way the IOT accounts cannot see each others files and from Admin view there is only one main- with subdirectories. Handy!

However ....

One "IOT" device (Omada software controller) gets an error during connection:

client offered [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519]

According to the docs: https://docs.sftpgo.com/enterprise/config-file/#sshsftp-server you should be able to add algorithms, and I did like this:

    "host_key_algorithms": [
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "ssh-ed25519"
    ],
    "kex_algorithms": [
      "curve25519-sha256",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group-exchange-sha256"
    ],
    "min_dh_group_exchange_key_size": 2048,
    "ciphers": [
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com",
      "chacha20-poly1305@openssh.com",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr"
    ],
    "macs": [],
    "public_key_algorithms": [
      "ecdsa-sha2-nistp256",
      "ecdsa-sha2-nistp384",
      "ecdsa-sha2-nistp521",
      "rsa-sha2-512",
      "rsa-sha2-256",
      "ssh-ed25519",
      "sk-ssh-ed25519@openssh.com",
      "sk-ecdsa-sha2-nistp256@openssh.com"
    ],

In the WebAdmin is says this:

SSH/SFTP server
Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:*********redacted*********"

Algorithms "ssh-ed25519"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

But the error keeps coming and the connection is not possible.

Anyone knows how to solve this?

girish

@imc67 The package generates only ed25519 keys. Maybe it can generate ssh-rsa keys too.

Maybe it needs rsa keys. Can you generate the key like this (in web terminal):

ssh-keygen -t rsa -f /app/data/sftpgo_host_rsa_key -N ""

Then, in the config file, add it to the sftpd.host_keys array. It should already hvae /app/data/sftpgo_host_key . Add this one too /app/data/sftpgo_host_rsa_key . If that works, I can fix the package to generate rsa keys by default.

imc67

... almost, this is the error when trying to login:

ssh: no common algorithm for host key; client offered: [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519 rsa-sha2-256 rsa-sha2-512]"}

Status: active

Address ":2022"

PROXY protocol enabled

Host key "/app/data/sftpgo_host_key"

Fingerprint "SHA256:******"

Algorithms "ssh-ed25519"

Host key "/app/data/sftpgo_host_rsa_key"

Fingerprint "SHA256:******"

Algorithms "rsa-sha2-256, rsa-sha2-512"

Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp"

Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive"

Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com"

Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256"

Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256"

Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"

joseph

Not an expert on these keys but per chatgpt, ssh-rsa and ssh-dss are obsolete and are even completely removed from newer openssh .

If you are feeling brave:

ssh-keygen -t rsa -b 2048 -f /app/data/sftpgo_host_old_rsa_key -N ""

or

ssh-keygen -t dsa -f /app/data/sftpgo_host_dsa_key -N ""

imc67

of the "needed" algorithms only ECDSA (ecdsa-sha2-nistp256/384/521) is still allowed but considered less robust than modern alternatives, Ed25519 is strongly recommended instead, RFC 8420 – Ed25519 for SSH.

So I did this:

# P-256
ssh-keygen -t ecdsa -b 256 -f /app/data/sftpgo_host_ecdsa_256 -N ""

# P-384
ssh-keygen -t ecdsa -b 384 -f /app/data/sftpgo_host_ecdsa_384 -N ""

# P-521
ssh-keygen -t ecdsa -b 521 -f /app/data/sftpgo_host_ecdsa_521 -N ""

and added these to the config: Now it works!!!

Are these changes I did persistent?

nebulon

Yes, since those are in /app/data they will persist and also be part of the backup