Aptana SFTP Key Exchange

Asked 26/10, 2014 at 20:21 Answered 23/10, 2015 at 19:39

I'm currently working with Aptana Studio 3.6.1 (a custom build with some PHP syntax fixes). I use SFTP to upload files from my project to a test site, using the publishing tools (upload/download arrows at the top of the project).

Recently, I became unable to upload files. WinSCP is able to do so just fine, and I can SSH into the server without problem when using PuTTY or plain old OpenSSH. Aptana, however, throws a fit:

Failed to upload file
Establishing SFTP connection failed: No suitable key exchange algorithm could be agreed.
No suitable key exchange algorithm could be agreed.

The corresponding error in auth.log (with LogLevel DEBUG1):

Oct 26 14:42:42 dedi sshd[13690]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Oct 26 14:42:42 dedi sshd[13690]: debug1: inetd sockets after dupping: 3, 3
Oct 26 14:42:42 dedi sshd[13690]: Connection from [My IP] port 24321 on [Server IP] port 22
Oct 26 14:42:42 dedi sshd[13690]: debug1: Client protocol version 2.0; client software version edtFTPjPRO-4.1.0
Oct 26 14:42:42 dedi sshd[13690]: debug1: no match: edtFTPjPRO-4.1.0
Oct 26 14:42:42 dedi sshd[13690]: debug1: Enabling compatibility mode for protocol 2.0
Oct 26 14:42:42 dedi sshd[13690]: debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-2
Oct 26 14:42:42 dedi sshd[13690]: debug1: permanently_set_uid: 102/65534 [preauth]
Oct 26 14:42:42 dedi sshd[13690]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Oct 26 14:42:42 dedi sshd[13690]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Oct 26 14:42:42 dedi sshd[13690]: debug1: SSH2_MSG_KEXINIT received [preauth]
Oct 26 14:42:42 dedi sshd[13690]: debug1: kex: client->server 3des-cbc hmac-sha1 none [preauth]
Oct 26 14:42:42 dedi sshd[13690]: debug1: kex: server->client 3des-cbc hmac-sha1 none [preauth]
Oct 26 14:42:42 dedi sshd[13690]: fatal: Unable to negotiate a key exchange method [preauth]

I should note that I've already mucked around with sshd_config in order to fix an earlier error where some cipher suites that Aptana uses weren't set up on the server. I suspect this problem has something to do with key exchange cipher suites, but I'm unsure of how to debug that problem in order to determine which suites to add.

$ uname -a && lsb_release -a
Linux dedi 3.14-2-amd64 #1 SMP Debian 3.14.15-2 (2014-08-09) x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux testing (jessie)
Release:        testing
Codename:       jessie

Larrisa answered 26/10, 2014 at 20:21 Comment(0)

Please use DEBUG3 level. Then you will see the list of key exchange algorithms configured on your server as well as the list supported by your client.

Then add the following line to your /etc/ssh/sshd_config:

KexAlgorithms <here comma-separated list of Kex Algorithms configured on your server>,<here one of the Kex Algorithms supported by your client>

For example, the OpenSSH 6.7 has the following algorithms active by default: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1.

If you client supports only diffie-hellman-group1-sha1, then your /etc/ssh/sshd_config should contain

KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1.

That's OK - OpenSSH v.6.7 does support diffie-hellman-group1-sha1 too, however it is off by default. You should allow sshd to use this key exchange algorithm by putting the KexAlgorithms line to your sshd config.

Aleutian answered 27/10, 2014 at 9:58 Comment(4)

Thank you. It turns out that the client only supports diffie-hellman-group1-sha1. – Larrisa 27/10, 2014 at 19:44

In case someone stumbles on this as I did, the above KexAlgorithms are required for the Android app ES File Explorer at least up to version 3.2.3 which uses JSCH-0.1.44 (a Java SSH2 client). – Eri 25/11, 2014 at 4:52

Are those keys listed in KexAlgorithms take precedence? – Woermer 1/8, 2015 at 20:4

This worked but I had to remove the (.) period at the end of the line. – Spam 30/4, 2016 at 23:9

On remote server edit sshd_config:

nano /etc/ssh/sshd_config
Add the following line :

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected],blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Restart ssh service

#/etc/init.d/ssh restart

thx to

Sibelle answered 23/10, 2015 at 19:39 Comment(2)

This answer also worked perfectly for phpDesigner 8.1.2 – Roundtree 2/12, 2015 at 8:40

Its gives this error: Restarting ssh (via systemctl): ssh.serviceJob for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details. – Chaworth 1/5, 2018 at 20:47

For Debian 8 jessie putting this in /etc/ssh/sshd_config solved the problem for me

KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

taken from this comment https://github.com/rundeck/rundeck/issues/1147#issuecomment-85083240

Alrick answered 11/6, 2015 at 5:54 Comment(0)

Recommended topics

Hot tags