Couldn't agree on key exchange algorithm (hardened server) :: Support Forum

jawnsy_ Guest

Couldn't agree on key exchange algorithm (hardened server)

2015-09-07 07:13

Hi,

I followed the instructions for "modern compatibility" listed here: https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

So these are my cipher settings in /etc/ssh/sshd_config:

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

Unfortunately, this breaks WinSCP. PuTTY 0.65 has no issues, so perhaps this is just an issue where an upgrade is required. This issue looks very similar to https://winscp.net/tracker/1067

Cheers,
Jonathan Yu
[email protected]

putty.log (112.76 KB)

theory.log (3.19 KB)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 42,591
Location:: Prague, Czechia

Re: Couldn't agree on key exchange algorithm (hardened server)

2015-09-08

Probably the same issue as here:
https://winscp.net/forum/viewtopic.php?t=15626

Please install the latest versions of both OpenSSH and WinSCP.

Reply with quote

juul Guest

2015-11-14 18:16

This is actually not entirely the same, its because WinSCP is missing a cipher and key exchange algorithm.

I ran into the same problem when connecting to a hardened server. The policy of this server had to be relaxed to allow WinSCP to connect because the server was very strict at first.

The cipher missing is: ChaCha20 (SSH-2 only)
The key exchange algorithm missing is: ECDH key exchange

Those appear in the lists in the PuTTY settings, however in WinSCP these do not appear in the cipher and kex selection policy lists.

Reply with quote