Hi,
In order to tighten up security, we're changing our SSH server to only support the following key exchanges:
[ul]curve25519-sha256
diffie-hellman-group-exchange-sha256[/ul]
Most of our users are using PuTTY, which handles these algorithms fine; however our AbsoluteTelnet user receives the following error:
failed to negotiate key exchange algorithm
It looks like AbsoluteTelnet doesn't support SHA256-based key exchange algorithms.
Is support for these more secure algorithms under active development at the moment? If so, I'm happy to beta test.
E
Thanks for the report! I've been working on some improvements to Absolute to help combat this issue, adding new key exchange and message authentication algorithms as specified in RFC4419 and RFC6668. If you'd like to take it for a spin, grab the latest release candidate here:
http://www.celestialsoftware.net/telnet/beta_software.html
Brian
Hi Brian,
Thanks for the quick work! I can confirm that the new version is connecting with:
[ul][li]A Key Exchange protocol of diffie-hellman-group-exchange-sha256[/li]
[li]Encrypting using the aes256-ctr Cipher[/li]
[li]Authenticating messages using hmac-sha2-512[/li][/ul]
Great work, thanks for such a quick response.
Eric
I'm encountering the same error trying to log into a Synology NAS device. I've just tried the 9.84rc version without any improvement. Putty connects just fine. Any suggestions ?
Geoff,
Can you provide any more detail? For example, what is the *EXACT* error message you're getting?
Also, make sure you are using the latest. It should say "RELEASE CANDIDATE 10" in the title bar when you run it.
Brian
Definitely running rc10 - downloaded from the link you gave above, and it shows a popup on startup saying that it is a release candidate etc etc.
The text in the AbsoluteTelnet window during login attempt is as follows:
Connecting to abcdefg:49613 attempting 192.168.13.10:49613... Success! disconnected: failed to negotiate client to server encryption algorithm
The sshd log files shows:
Feb 19 09:26:15 DS212J sshd[5347]: Connection from 192.168.13.50 port 56157 on 192.168.13.10 port 49613 Feb 19 09:26:15 DS212J sshd[5347]: SSH: Server;Ltype: Version;Remote: 192.168.13.50-56157;Protocol: 2.0;Client: 1.81 sshlib: AbsoluteTelnet Feb 19 09:26:15 DS212J sshd[5347]: fatal: no matching cipher found: client twofish256-cbc,blowfish-cbc,3des-cbc,aes256-cbc,arcfour,cast128-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Let me know if there is anything else I can provide to help with this.
This is neither a KEX or MAC problem, just simple encryption algorithm selection. Based on the message, it seems you have the CTR-mode AES encryptions disabled.
Go to options->Properties->Connection->ssh2 and click the 'encryption' button. Move at lease AES-256-CTR up to the top of the list. Connect again.
Post here with your results
Hope this helps
Brian
Yes, thanks. That sorted it.
