刚刚安装了一台带有 Debian8 (jessie) 系统的新服务器。多年来,我一直使用 CuteFTP 通过 SFTP 连接在家用电脑和服务器上上传/同步文件。不幸的是,CuteFTP 无法连接到 Deabian8 服务器:
Disconnect: key exchange failed.
ERROR:> [22/06/2016 15:10:03] Check security settings; make sure that the username and password are correct, and that the chosen encryption algorithms are supported by server.
我安装了 WinSCP,连接服务器没有问题。只是 CuteFTP 无法连接。但我想使用 CuteFTP,因为它具有计划同步、多个同时上传/下载的可能性等。
知道为什么 CuteFTP 无法连接到 Debian8 服务器吗?
* CuteFTP 9.0 - 2013 年 6 月 25 日构建 *
STATUS:> [22/06/2016 15:10:02] Getting listing ""...
STATUS:> [22/06/2016 15:10:02] Connecting to SFTP server... XXX.XXX.XXX.XXX:1641 (ip = XXX.XXX.XXX.XXX)...
ERROR:> [22/06/2016 15:10:03] Disconnect: key exchange failed.
ERROR:> [22/06/2016 15:10:03] Check security settings; make sure that the username and password are correct, and that the chosen encryption algorithms are supported by server.
STATUS:> [22/06/2016 15:10:03] Can't connect to XXX.XXX.XXX.XXX:1641.
STATUS:> [22/06/2016 15:10:03] SFTP connection closed.
日志:
18:28:24.085 Sending version: 5353482D322E302D312E3832207373686C69623A20436C69656E74536674700D0A
18:28:24.135 Sending SSH_MSG_KEXINIT (450 bytes, seq nr 0)
Data: 14D0989582300732FE96FA99757E553326000000596469666669652D68656C6C6D616E2D67726F757031342D736861312C6469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D736861312C6469666669652D68656C6C6D616E2D67726F7570312D736861310000000F7373682D7273612C7373682D6473730000005A336465732D6362632C617263666F75722C636173743132382D6362632C74776F666973682D6362632C626C6F77666973682D6362632C74776F666973683132382D6362632C6165733132382D6362632C6165733235362D6362630000005A336465732D6362632C617263666F75722C636173743132382D6362632C74776F666973682D6362632C626C6F77666973682D6362632C74776F666973683132382D6362632C6165733132382D6362632C6165733235362D6362630000002B686D61632D6D64352C686D61632D736861312C686D61632D736861312D39362C686D61632D6D64352D39360000002B686D61632D6D64352C686D61632D736861312C686D61632D736861312D39362C686D61632D6D64352D3936000000097A6C69622C6E6F6E65000000097A6C69622C6E6F6E6500000000000000000000000000
18:28:24.137 GsSshClientManager::OnKexStart: Starting first key exchange
18:28:24.538 PacketDecoder RECEIVED: 5353482D322E302D4F70656E5353485F362E3770312044656269616E2D352B6465623875320D0A0000026C0914F58C399FF69574E104443DF5AC29F83E000000636469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D7368613235362C6469666669652D68656C6C6D616E2D67726F757031342D736861312C6469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D73686131000000137373682D7273612C7373682D65643235353139000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D637472000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D6374720000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D643136300000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D64313630000000156E6F6E652C7A6C6962406F70656E7373682E636F6D000000156E6F6E652C7A6C6962406F70656E7373682E636F6D00000000000000000000000000000000000000000000
18:28:24.547 GsSshClientManager::OnInStateChange: Server version string: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
Protocol version: 2.0
18:28:24.549 Received SSH_MSG_KEXINIT (610 bytes, seq nr 0)
Data: 14F58C399FF69574E104443DF5AC29F83E000000636469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D7368613235362C6469666669652D68656C6C6D616E2D67726F757031342D736861312C6469666669652D68656C6C6D616E2D67726F75702D65786368616E67652D73686131000000137373682D7273612C7373682D65643235353139000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D637472000000436165733235362D67636D406F70656E7373682E636F6D2C6165733132382D67636D406F70656E7373682E636F6D2C6165733235362D6374722C6165733132382D6374720000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D643136300000007F686D61632D736861322D3531322D65746D406F70656E7373682E636F6D2C686D61632D736861322D3235362D65746D406F70656E7373682E636F6D2C756D61632D3132382D65746D406F70656E7373682E636F6D2C686D61632D736861322D3531322C686D61632D736861322D3235362C686D61632D726970656D64313630000000156E6F6E652C7A6C6962406F70656E7373682E636F6D000000156E6F6E652C7A6C6962406F70656E7373682E636F6D00000000000000000000000000
18:28:24.551 Will act on first key exchange method packet
18:28:24.552 GsSshClientManager::OnInStateChange: Server's KEXINIT packet:
cookie: F58C399FF69574E104443DF5AC29F83E
kex algs: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
host key algs: ssh-rsa,ssh-ed25519
c2s encr algs: [email protected],[email protected],aes256-ctr,aes128-ctr
s2c encr algs: [email protected],[email protected],aes256-ctr,aes128-ctr
c2s mac algs: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
s2c mac algs: [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
c2s cmpr algs: none,[email protected]
s2c cmpr algs: none,[email protected]
c2s languages:
s2c languages:
1. kex follows: false
18:28:24.554 Sending SSH_MSG_DISCONNECT (72 bytes, seq nr 1)
Data: 0100000003000000396661696C656420746F206E65676F746961746520636C69656E7420746F2073657276657220656E6372797074696F6E20616C676F726974686D00000002656E
18:28:24.556 DoLoopThread exit: Disconnect packet sent:
Disconnect reason: SSH_DISCONNECT_KEY_EXCHANGE_FAILED
Disconnect description: failed to negotiate client to server encryption algorithm
Disconnect language: en
18:28:25.220 GsSftpImplementation::~GsSftpImplementation
答案1
查看您的日志文件,显然有 3 种密钥交换算法可用:
diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
其中,diffie-hellman-group-exchange-sha256 为优先选择,服务器会进行宣传。
主机可能有 2 个密钥:一个 RSA 密钥和一个 ED25519 密钥。ED25519 密钥不能与 3 个宣传的 KEX 算法中的任何一个一起使用,因此我假设您的 CuteFTP 客户端正在尝试对 RSA 密钥进行 KEX,并且应该通过基于 SHA256 的 KEX 进行操作。
据我所知,CuteFTP 允许您配置加密和 HMAC 算法,但没有特定配置来设置 KEX 算法的优先级。话虽如此,我建议您更新到最新版本的 CuteFTP,看看它是否能解决问题,或者停止使用 CuteFTP。
当然,您也可以更改服务器上 KEX 算法的优先顺序,但由于这两种基于 SHA1 的算法现在被认为是不安全的(并且不符合 PCI 标准),因此我不建议这样做。最好改进客户端,而不是削弱服务器的安全设置。
答案2
这是 Globalscape 的答案
==================== 你好,
根据提供的信息,我相信失败是由于 CuteFTP 无法使用 SHA2 http://help.globalscape.com/help/cuteftp9/learning_about_ssh2.htm
目前尚不清楚 CuteFTP 9 是否会重新支持更新的密码和 MACS。
所以,不要购买 CuteFTP。他们甚至不知道是否会修复该问题。