Cannot connect via sftp

I can not connect with the log below. Please help. Regards, Dominik (PS. original server address is obscured)

Opening Connection xxxxxxx.com:22
SSH: ssh_init: error during SSH connection setup 0
Opening Connection xxxxxxx.com:22
Server version: SSH-2.0-Sun_SSH_1.5
We claim version: SSH-2.0-PuTTY-FZ-Local: Jun 14 2013 13:21:05
Using SSH protocol version 2
Couldn't agree a client-to-server cipher (available:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)
SSH: Fatal: Couldn't agree a client-to-server cipher (available:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)
Connection closed
Opening Connection xxxxxxx.com:22
SSH: ssh_init: error during SSH connection setup 0
Opening Connection xxxxxxx.com:21
FD_CONNECT - WSAECONNREFUSED: Connection refused
Cannot Connect to Site.

[quote]Couldn't agree a client-to-server cipher (available:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour)[/quote]

That means Opus and the server do not support any of the same encryption protocols, so they cannot talk to each other.

It's unusual for a server to be configured in that way, but it is done sometimes.

Thanks. Please note, however, that I can connect to this site using putty as well as WinSCP. Can you not support those protocols?

Thanks
Dominik

It's possible, just a matter of priorities/resources.

Hi,

This is the reply from the system admins of the host I am trying to connect to.

"It appears that Directory Opus wants to use a rather old (and insecure) cipher when authenticating with SSH2... We would strongly prefer not to enable the older CDC cipher due to known vulnerabilities in this method.
I would respond to Opus support that they should really implement CTR support in their software for SSH, due to the known security hole in CDC."

Please consider.

Best regards,
Dominik

Is there any update on this? I just purchased the Advanced FTP module and ran into the same issue (putty can connect just fine, DirOpus claims to use putty for connecting, according to the log, but fails to find a matching cipher). Shouldn't support for standard secure SSH ciphers be the minimum requirement for the Advanced FTP module? After all, that's why we pay extra for it over just using standard FTP.

No update, but it's still on our list. An overhaul of the SFTP code is being considered, but we don't have any final plans to announce yet, and won't for a while as we've only just done a major release and are busy with the work that comes from that.

Re standard SSH ciphers, there are lots of different standards, unfortunately. The ones Opus supports are also supported by the vast majority of servers, but servers are free to add/remove ciphers as they see fit.

I'm still on dopus 10, and this is the only useful hit via Google when searching for dopus ciphers. Based on your comment in March, I assume this hasn't been worked on yet.

OpenSSH 6.7 was released in early October. This build eliminates those insecure ciphers :

[code]Changes since OpenSSH 6.6

Potentially-incompatible changes

  • sshd(8): The default set of ciphers and MACs has been altered to
    remove unsafe algorithms. In particular, CBC ciphers and arcfour*
    are disabled by default.

    The full set of algorithms remains available if configured
    explicitly via the Ciphers and MACs sshd_config options.
    [/code]

As it is a public release, this has been adopted by LOTS of servers and other use cases. My own scenario, OpenSSH via Cydia on a jailbroken iPhone, is a standard build. I have attempted to enable the AES256-CDC cipher that dopus uses but the server daemon errors. Enabling arcfour works fine, but dopus doesn't use that. I've fallen back to an older build of OpenSSH, but that's not the best solution considering what it is.

TL;DR: This is rather urgent. Can this be escalated in the todo list?

Thanks for the details etc. We currently have no estimated date for changes to the SSH protocols.

This is an absolute deal breaker for me. My primary use for DOpus is in working with a large number of remote servers via its FTP integration and as time goes on, I'm more and more unable to connect to servers as they upgrade and the insecure ciphers are removed.

Sorry I don't understand the issue here? Am I missing something?

The SSH and SSL libraries in Opus are current at the time of release of the main version and are progressively updated during the lifetime of that version. Those in the current version of Opus 11 are fully up-to-date with the latest releases. Older version of Opus (8/9/10 etc) are depreciated and will not be updated. If you wish to use protocols released since the release of your older version of Opus 10, then you need to upgrade to Opus 11.

Any update on this issue? My sFTP connections had been working for a few years however in the last couple of months I have been unable to connect Opus.

SFTP works in general. If you have trouble connecting to a site, please start a new thread with proper details, including what the log says. The FAQs have a list of suggestions for FTP/SFTP issues as well, which it makes sense to try first.