extra algorithms needed
-
SFTPGO is really handy! I use it as a central location for "IOT" devices to make backups to. The very good thing is that you can create a (manual) account for every device. From Admin view I created one "backups" directory with for each IOT account a subdirectory, this subdirectory is attached as a virtual directory to a specific account. This way the IOT accounts cannot see each others files and from Admin view there is only one main- with subdirectories. Handy!
However ....
One "IOT" device (Omada software controller) gets an error during connection:
client offered [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519]According to the docs: https://docs.sftpgo.com/enterprise/config-file/#sshsftp-server you should be able to add algorithms, and I did like this:
"host_key_algorithms": [ "rsa-sha2-512", "rsa-sha2-256", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519" ], "kex_algorithms": [ "curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", "diffie-hellman-group-exchange-sha256" ], "min_dh_group_exchange_key_size": 2048, "ciphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr" ], "macs": [], "public_key_algorithms": [ "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "rsa-sha2-512", "rsa-sha2-256", "ssh-ed25519", "sk-ssh-ed25519@openssh.com", "sk-ecdsa-sha2-nistp256@openssh.com" ],In the WebAdmin is says this:
SSH/SFTP server Status: active Address ":2022" PROXY protocol enabled Host key "/app/data/sftpgo_host_key" Fingerprint "SHA256:*********redacted*********" Algorithms "ssh-ed25519" Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp" Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive" Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com" Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256" Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256" Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"But the error keeps coming and the connection is not possible.
Anyone knows how to solve this?
-
SFTPGO is really handy! I use it as a central location for "IOT" devices to make backups to. The very good thing is that you can create a (manual) account for every device. From Admin view I created one "backups" directory with for each IOT account a subdirectory, this subdirectory is attached as a virtual directory to a specific account. This way the IOT accounts cannot see each others files and from Admin view there is only one main- with subdirectories. Handy!
However ....
One "IOT" device (Omada software controller) gets an error during connection:
client offered [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519]According to the docs: https://docs.sftpgo.com/enterprise/config-file/#sshsftp-server you should be able to add algorithms, and I did like this:
"host_key_algorithms": [ "rsa-sha2-512", "rsa-sha2-256", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ssh-ed25519" ], "kex_algorithms": [ "curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", "diffie-hellman-group-exchange-sha256" ], "min_dh_group_exchange_key_size": 2048, "ciphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr" ], "macs": [], "public_key_algorithms": [ "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "rsa-sha2-512", "rsa-sha2-256", "ssh-ed25519", "sk-ssh-ed25519@openssh.com", "sk-ecdsa-sha2-nistp256@openssh.com" ],In the WebAdmin is says this:
SSH/SFTP server Status: active Address ":2022" PROXY protocol enabled Host key "/app/data/sftpgo_host_key" Fingerprint "SHA256:*********redacted*********" Algorithms "ssh-ed25519" Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp" Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive" Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com" Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256" Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256" Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr"But the error keeps coming and the connection is not possible.
Anyone knows how to solve this?
@imc67 The package generates only ed25519 keys. Maybe it can generate ssh-rsa keys too.
Maybe it needs rsa keys. Can you generate the key like this (in web terminal):
ssh-keygen -t rsa -f /app/data/sftpgo_host_rsa_key -N ""Then, in the config file, add it to the sftpd.host_keys array. It should already hvae
/app/data/sftpgo_host_key. Add this one too/app/data/sftpgo_host_rsa_key. If that works, I can fix the package to generate rsa keys by default. -
... almost, this is the error when trying to login:
ssh: no common algorithm for host key; client offered: [ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521], server offered: [ssh-ed25519 rsa-sha2-256 rsa-sha2-512]"}Status: active Address ":2022" PROXY protocol enabled Host key "/app/data/sftpgo_host_key" Fingerprint "SHA256:******" Algorithms "ssh-ed25519" Host key "/app/data/sftpgo_host_rsa_key" Fingerprint "SHA256:******" Algorithms "rsa-sha2-256, rsa-sha2-512" Accepted commands "md5sum, sha1sum, sha256sum, cd, pwd, scp" Authentication methods "password, publickey, keyboard-interactive, publickey+password, publickey+keyboard-interactive" Public key authentication algorithms "ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-ed25519, sk-ssh-ed25519@openssh.com, sk-ecdsa-sha2-nistp256@openssh.com" Message authentication code (MAC) algorithms "hmac-sha2-256-etm@openssh.com, hmac-sha2-256" Key exchange (KEX) algorithms "curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256" Ciphers "aes128-gcm@openssh.com, aes256-gcm@openssh.com, chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr" -
Not an expert on these keys but per chatgpt, ssh-rsa and ssh-dss are obsolete and are even completely removed from newer openssh .
If you are feeling brave:
ssh-keygen -t rsa -b 2048 -f /app/data/sftpgo_host_old_rsa_key -N ""
or
ssh-keygen -t dsa -f /app/data/sftpgo_host_dsa_key -N ""
-
of the "needed" algorithms only ECDSA (ecdsa-sha2-nistp256/384/521) is still allowed but considered less robust than modern alternatives, Ed25519 is strongly recommended instead, RFC 8420 – Ed25519 for SSH.
So I did this:
# P-256 ssh-keygen -t ecdsa -b 256 -f /app/data/sftpgo_host_ecdsa_256 -N "" # P-384 ssh-keygen -t ecdsa -b 384 -f /app/data/sftpgo_host_ecdsa_384 -N "" # P-521 ssh-keygen -t ecdsa -b 521 -f /app/data/sftpgo_host_ecdsa_521 -N ""and added these to the config: Now it works!!!
Are these changes I did persistent?
-
I imc67 referenced this topic on
