Unable to connect to SFTP server since 3.21.0

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
osdlge
500 Command not understood
Posts: 3
Joined: 2016-09-23 16:42

Unable to connect to SFTP server since 3.21.0

#1 Post by osdlge » 2016-09-23 16:44

Since upgrading to 3.21.0 I cannot connect to a single SFTP server

FileZilla Client
----------------

Version: 3.21.0

Build information:
Compiled for: x86_64-apple-darwin15.6.0
Compiled on: x86_64-apple-darwin15.6.0
Build date: 2016-08-23
Compiled with: Apple LLVM version 7.3.0 (clang-703.0.31)
Compiler flags: -g -O2 -Wall -g -std=gnu++14

Linked against:
wxWidgets: 3.0.3
GnuTLS: 3.4.14
SQLite: 3.11.1

Operating system:
Name: Mac OS X (Darwin 16.0.0 x86_64)
Version: 10.12
CPU features: sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi2 bmi2
Settings dir: /Users/me/.config/filezilla/


I can connect to this server by opening a terminal prompt and running
sftp -P 22 user@hostname
so my connection to it is working just fine

this is what I see the the message window

Status: Connecting to <HOSTNAME>...
Response: fzSftp started, protocol_version=6
Command: open "<USER>@<HOSTNAME>" 22
Error: Server unexpectedly closed network connection
Error: Could not connect to server
Status: Waiting to retry...

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Unable to connect to SFTP server since 3.21.0

#2 Post by botg » 2016-09-23 18:54

Which SSH server software (product and version) is your server running?

osdlge
500 Command not understood
Posts: 3
Joined: 2016-09-23 16:42

Re: Unable to connect to SFTP server since 3.21.0

#3 Post by osdlge » 2016-09-26 14:06

The server is running OpenSSH_6.2p2, if I SSH -v into it this is what I see


debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Unable to connect to SFTP server since 3.21.0

#4 Post by botg » 2016-09-26 14:10

It's a bug in your server, you need to upgrade your server. See https://trac.filezilla-project.org/tick ... #comment:9

osdlge
500 Command not understood
Posts: 3
Joined: 2016-09-23 16:42

Re: Unable to connect to SFTP server since 3.21.0

#5 Post by osdlge » 2016-09-26 17:05

thanks - I upgraded to OpenSSH_7.3p1, OpenSSL 1.0.2j 26 Sep 2016 and I am able to use filezilla again

User avatar
batagy
503 Bad sequence of commands
Posts: 19
Joined: 2004-03-01 08:50
First name: György
Last name: Bata
Location: Hungary

Re: Unable to connect to SFTP server since 3.21.0

#6 Post by batagy » 2016-10-06 15:58

Hi Tim!

I'm having the same problem.
Here using FileZilla 64bit on a Windows 7 PC, often connecting to SFTP servers, usually linux servers with OpenSSH.
All SFTP connections worked in version 3.20.1 and before. Now with 3.21 version and latest 3.22.0-RC1, SFTP doesn't work for certain servers.

Here is build info:

Code: Select all

FileZilla Client
----------------

Version:          3.22.0-rc1

Build information:
  Compiled for:   x86_64-w64-mingw32
  Compiled on:    x86_64-unknown-linux-gnu
  Build date:     2016-09-24
  Compiled with:  x86_64-w64-mingw32-gcc (GCC) 4.9.1
  Compiler flags: -g -O2 -Wall -g -std=gnu++14

Linked against:
  wxWidgets:      3.0.3
  GnuTLS:         3.4.15
  SQLite:         3.11.1

Operating system:
  Name:           Windows 7 (build 7601, Service Pack 1), 64-bit edition
  Version:        6.1
  Platform:       64-bit system
  CPU features:   sse sse2 sse3 ssse3 sse4.1 sse4.2 avx avx2 aes pclmulqdq rdrnd bmi2 bmi2
  Settings dir:   C:\Users\[username]\AppData\Roaming\FileZilla\
Here is logs (Debug info level 2):

Code: Select all

17:00:24	Status:	Disconnected from server
17:00:24	Status:	Connecting to [ipaddr]...
17:00:24	Response:	fzSftp started, protocol_version=6
17:00:24	Command:	open "[username]@[ipaddr]" 22
17:00:24	Trace:	Connecting to [ipaddr] port 22
17:00:24	Trace:	We claim version: SSH-2.0-PuTTY_Local:_Sep_24_2016_16:48:44
17:00:24	Trace:	Server version: SSH-2.0-OpenSSH_6.2
17:00:24	Trace:	We believe remote version has SSH-2 channel request bug
17:00:24	Trace:	Using SSH protocol version 2
17:00:24	Trace:	Doing ECDH key exchange with curve nistp256 and hash SHA-256
17:00:24	Trace:	Server unexpectedly closed network connection
17:00:24	Error:	Server unexpectedly closed network connection
17:00:24	Error:	Could not connect to server
17:00:24	Status:	Waiting to retry...
17:00:29	Status:	Connecting to [ipaddr]...
17:00:30	Response:	fzSftp started, protocol_version=6
17:00:30	Command:	open "[username]@[ipaddr]" 22
17:00:30	Trace:	Connecting to [ipaddr] port 22
17:00:30	Trace:	We claim version: SSH-2.0-PuTTY_Local:_Sep_24_2016_16:48:44
17:00:30	Trace:	Server version: SSH-2.0-OpenSSH_6.2
17:00:30	Trace:	We believe remote version has SSH-2 channel request bug
17:00:30	Trace:	Using SSH protocol version 2
17:00:30	Trace:	Doing ECDH key exchange with curve nistp256 and hash SHA-256
17:00:30	Trace:	Server unexpectedly closed network connection
17:00:30	Error:	Server unexpectedly closed network connection
17:00:30	Error:	Could not connect to server
What can be the cause?

On server we have OpenSSE 6.2p2-0.9.1 version installed, this is a Suse Linux Enterprise 11 SP3.
From the linux package manager, only 6.2p2-0.13.1 is available, which is not much newer.

On other hand, SFTP works on other servers, where OpenSSH version is:
Server version: SSH-2.0-OpenSSH_5.1
Server version: SSH-2.0-OpenSSH_6.2 (6.2p2-3.10.2)
Server version: SSH-2.0-OpenSSH_6.6.1 (6.6p1-5.3.1)

If I'm downgrading to 3.20.1 version, the same connection works fine this way:

Code: Select all

18:00:16	Status:	Connecting to [ipaddr]...
18:00:16	Response:	fzSftp started, protocol_version=6
18:00:16	Command:	open "[username]@[ipaddr]" 22
18:00:16	Trace:	Connecting to [ipaddr] port 22
18:00:16	Trace:	We claim version: SSH-2.0-PuTTY_Local:_Aug__3_2016_17:44:48
18:00:16	Trace:	Server version: SSH-2.0-OpenSSH_6.2
18:00:16	Trace:	We believe remote version has SSH-2 channel request bug
18:00:16	Trace:	Using SSH protocol version 2
18:00:16	Trace:	Doing ECDH key exchange with curve nistp256 and hash SHA-256
18:00:16	Trace:	Server also has ssh-dss/ssh-rsa host keys, but we don't know any of them
18:00:16	Trace:	Host key fingerprint is:
18:00:16	Trace:	ecdsa-sha2-nistp256 256 24:1c:ab:d7:cc:01:a2:0e:e9:8a:24:ea:56:e3:a8:91
18:00:16	Trace:	Initialised AES-256 SDCTR client->server encryption
18:00:16	Trace:	Initialised HMAC-SHA-256 client->server MAC algorithm
18:00:16	Trace:	Initialised AES-256 SDCTR server->client encryption
18:00:16	Trace:	Initialised HMAC-SHA-256 server->client MAC algorithm
18:00:16	Trace:	Attempting keyboard-interactive authentication
18:00:16	Trace:	Using keyboard-interactive authentication. inst_len: 0, num_prompts: 1
18:00:16	Command:	Pass: *********
18:00:16	Trace:	Access granted
18:00:16	Trace:	Opening session as main channel
18:00:16	Trace:	Opened main channel
18:00:16	Trace:	Started a shell/command
18:00:16	Status:	Connected to [ipaddr]
18:00:17	Status:	Retrieving directory listing...
18:00:17	Command:	pwd
18:00:17	Response:	Current directory is: "/root/home/[username]"
18:00:17	Status:	Directory listing of "/root/home/[username]" successful
Thanks You
György
Hungarian translator of FileZilla

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Unable to connect to SFTP server since 3.21.0

#7 Post by botg » 2016-10-06 16:05

botg wrote:It's a bug in your server, you need to upgrade your server. See https://trac.filezilla-project.org/tick ... #comment:9

User avatar
batagy
503 Bad sequence of commands
Posts: 19
Joined: 2004-03-01 08:50
First name: György
Last name: Bata
Location: Hungary

Re: Unable to connect to SFTP server since 3.21.0

#8 Post by batagy » 2016-10-07 13:32

botg wrote:
botg wrote:It's a bug in your server, you need to upgrade your server. See https://trac.filezilla-project.org/tick ... #comment:9
Hi Tim!

Thanks!
The 'aes256-gcm@openssh.com' should be in /etc/ssh/sshd_config in line Ciphers , or it shouldn't be there?
Should this cipher be disabled or enabled?

Our sshd_config doesn't included such Ciphers line by default.

Thanks
György
Hungarian translator of FileZilla

User avatar
botg
Site Admin
Posts: 35509
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Unable to connect to SFTP server since 3.21.0

#9 Post by botg » 2016-10-08 08:01

It should be sshd_config if your server supports it, because not only is it secure, it's also the fastest cipher. If your server does not support aes256-gcm@openssh.com, it rejects the setting and refuses to start. Only then should it be removed.

If however there is no Ciphers line to begin with in sshd_config, the server uses its built-in defaults, which are not being validated when the server starts. Due to the bug, the built-in defaults always include aes256-gcm@openssh.com even on servers that do not support it.

User avatar
batagy
503 Bad sequence of commands
Posts: 19
Joined: 2004-03-01 08:50
First name: György
Last name: Bata
Location: Hungary

Re: Unable to connect to SFTP server since 3.21.0

#10 Post by batagy » 2016-11-04 15:03

botg wrote:It should be sshd_config if your server supports it, because not only is it secure, it's also the fastest cipher. If your server does not support aes256-gcm@openssh.com, it rejects the setting and refuses to start. Only then should it be removed.

If however there is no Ciphers line to begin with in sshd_config, the server uses its built-in defaults, which are not being validated when the server starts. Due to the bug, the built-in defaults always include aes256-gcm@openssh.com even on servers that do not support it.
Hi Tim,

Many thanks for helping!

I can verify back now that changing the cipher configuration indeed fixed the problem with latest FileZilla SFTP.
It took time because our servers operated by another company, had to open tickets officially, etc.

Solution was adding one line to /etc/ssh/sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

This is SLES11 SP3 system, running openssh-6.2p2-0.13.1.
FileZilla 3.21 (and newer) works great with modified ciphers. The point is disabling 'aes256-gcm@openssh.com'.

Regards
György
Hungarian translator of FileZilla

Post Reply