SSH/SFTP is setting the signature algorithm to ssh-rsa, which pretty much any modern server will refuse outright. It is disabled by default since 2021-09-26 in sshd 8.8.
Could DOpus 13 either default to a stronger RSA signature algorithm during key exchange (rsa-sha2-512) or allow us to configure this on a connection basis?
To add more debugging info, the key being used here is accepted no problem through any other ssh client. It is read from an SSH agent (WinGPG in my case), and can connect just fine.
The issue is during the key exchange negotiation with the server; DOpus is either hard-coded to do ssh-rsa, or reads ssh-rsa from the public key and passes it on to its underlying library. The SSH Key Type is a distinct thing from the SSH signature algorithm, even if historically they both used the same ssh-rsa value.
Server logs:
sshd[13585]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Client logs:
Opening Connection [REDACTED]
Server version: SSH-2.0-OpenSSH_9.3
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Directory_Opus
Server supports delayed compression; will try this later
Doing ECDH key exchange with curve Curve25519 and hash SHA-256
Server also has ecdsa-sha2-nistp256 host key, but we don't know it
Host key fingerprint is:
[REDACTED]
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Pageant is running. Requesting keys.
Pageant has 2 SSH-2 keys
Using username "[REDACTED]".
Trying Pageant key #0
Server refused our key
Trying Pageant key #1
Server refused our key
Disconnected: No supported authentication methods available (server sent: publickey)
SSH: Fatal: Disconnected: No supported authentication methods available (server sent: publickey)
Is there a timeframe for this? It's forcing me to use WinSCP, which is as unpleasant as it sounds, because I'm not admin and cant add the ancient insecure algorithms to the config.
It's still being worked on, but I can't give a date for when it will be ready. Once it's complete and stable enough for people to use it, we'll enable it in a beta release.
I tinkered with SSHFS these days for Windows, which allows to access sftp locations by UNC or by "mapped network drive" with any application. It kind of works, but there are many incompatibilities, I cannot really connect to all remote locations and stability is rather "so so".
But using SSHFS - in theory - is the more advanced approach. Whatever sftp location you connect to with DO or WinSCP, it's not really a file system, you cannot open a text file directly in Notepad from that sftp location e.g.. WinSCP will download that file for you, wait until you finished editing and then it will re-upload. Feels like stone age to me?!.. o)
The "rclone" executable, which has support for a lot of remote "folders" and cloud-endpoints, also has problems mounting sftp locations, at least it does not like the ones I use.
Why on earth is there no internet-ready file system yet? Arrg! o)
@Leo, please keep in mind that we are using CyberArk in our company and it uses 2FA!
So when you re-write it, always keep the connection open and use it for directory reading and file transfers. Also for multiple file transfers don't open multiple connections. Every new connection forces me to press 2FA on my mobile phone.
Currently it's a mess and sometimes a 2FA pops up on my mobile phone only when I switch directories.
Maybe you keep a started connection open as long DO runs (althoug the TAB is closed?)? And can re-use ONE connection over multiple tabs?
Also CyberArk closes the connection after a specific time depending on PROD, TEST, DEV environments.
When you are doing the first tests please contact me. I can do this. Thanks
Full transparency, when I received an email saying that my upgrade subscription had expired, this thread is the reason why I decided not to renew.
I've been a paid Directory Opus user since 2007. FTP and SFTP integration was the main reason why I purchased your software back in the day. GP Software clearly considered it an important feature as well, as there was a time Advanced FTP was an extra you had to pay for.
For the past 4 years now, working with servers that require newer cyphers, Directory Opus has been completely useless to me. I opened this bug report 2 years ago, and nothing has changed.
I don't see the value of paying yearly for support I'm, and others in this thread, are clearly not getting. A key feature not working for more than 4 years is not acceptable. Doubly so when you change your pricing model from version-based licensing to paid yearly support.
You've lost a loyal customer who was with you for close to 20 years.
I’m also waiting for the SSH/SFTP update, as I can’t use the feature anymore and it’s an important part of my workflow. My subscription has just expired, and with the new licensing model I’m holding off on renewing until this issue is resolved. I really hope the fix lands soon.
The main parts are now done. There are a lot of small details to finish off (things like setting attributes and expandable folders), so it's not ready for people to try yet, but the hardest parts are done.