SftpClient connect exception ""no existing connection" #276
Comments
|
What version of SSH.NET are you using? |
|
I am using SSH.NET.2016.0.0.nupkg from https://www.nuget.org/packages/SSH.NET/ using .NET framework 4.5.2 the puzzling thing is that with one machine all is well and not with the other so, my first idea was to ask about permissions ... but "connect" to localhost 127.0.0.1 there is not really a permission issue it seems, only on an actual file send to server I am going tru the source code with the Visual Studio debugger and I see a couple of socket calls that succeed (not sure the need for the calls and the sort of data you send however, but that's a separate item) when I get a more exact reason about the exception I will post here thanks for the quick reply by the way |
|
just FYI here's a small program to replicate |
|
the exception comes from this call at line 94 of KeyExchangeDiffieHellmanGroupExchangeShaBase.cs //client sends SSH_MSG_KEX_DH_GEX_INIT and the catch is at line 1908 of Session.cs "this implementation is not part of the Windows Platform FIPS validated cryptographic algorithms" so, with this you should get a pretty good idea of the issue :-) ( I don't) |
|
Looks like you have FIPS enabled then, that will break SSH.Net <http://ssh.net/>
… On Aug 16, 2017, at 3:42 PM, Pedro Vicente ***@***.***> wrote:
the exception comes from this call at line 94 of KeyExchangeDiffieHellmanGroupExchangeShaBase.cs
//client sends SSH_MSG_KEX_DH_GEX_INIT
SendMessage()
and the catch is at line 1908 of Session.cs
"this implementation is not part of the Windows Platform FIPS validated cryptographic algorithms"
so, with this you should get a pretty good idea of the issue :-) ( I don't)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#276 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAf0Ht5fkvzz6nfxB6TjGUITK5A-70nSks5sY0YrgaJpZM4O5EYk>.
|
|
For anyone still coming across this issue... The issue involves the security option If the setting is enabled, NET Framework will restrict usage of non-compliant algorithms, regardless of where they are implemented. I found the problem to be located in the constructor for the HostKeyEventArgs class located in SSH.NET/src/Renci.SshNet/Common/HostKeyEventArgs.cs If you modify lines 57 through 60: I also commented out all but the following from ConnectionInfo I left diffie-hellman-group14-sha1 in there since it is still reasonably secure, however it should be replaced by diffie-hellman-group14-sha256, as well as implementing stronger key algorithms. |
|
Urrrggg still surprised people still enable it, even MS says not to but for some reason some STIG and other guidelines still recommend it
…Sent from my iPhone
On Nov 26, 2019, at 4:41 PM, lifeincha0s ***@***.***> wrote:
For anyone still coming across this issue...
SSH Targets not part of the Windows Platform FIPS validated cryptographic algorithms
The issue involves the security option
"System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing."
which affects the following registry value:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled"
If the setting is enabled, NET Framework will restrict usage of non-compliant algorithms, regardless of where they are implemented. I found the problem to be located in the constructor for the HostKeyEventArgs class located in SSH.NET/src/Renci.SshNet/Common/HostKeyEventArgs.cs
If you modify lines 57 through 60:
using (var md5 = CryptoAbstraction.CreateMD5())
{
FingerPrint = md5.ComputeHash(host.Data);
}
to a FIPS compliant algorithm. I used the following as a fix:
using (var sha256 = CryptoAbstraction.CreateSHA256())
{
FingerPrint = sha256.ComputeHash(host.Data);
}
I also commented out all but the following from ConnectionInfo
KeyExchangeAlgorithms:
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha256
Encryptions:
aes128-ctr
aes192-ctr
aes256-ctr
HmacAlgorithms:
hmac-sha2-256
hmac-sha2-512
I left diffie-hellman-group14-sha1 in there since it is still reasonably secure, however it should be replaced by diffie-hellman-group14-sha256, as well as implementing stronger key algorithms.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
FIPS is still required in modern security frameworks today because they keep updating the standards. It basically says you can't use any encryption algorithm not approved by NIST, which is a moving target. This is a good thing. The intent is to stop someone from using old and broken, or new and unknown solutions that may have vulnerabilities. There was a lot of confusion that came from a Microsoft statement saying they don't recommend FIPS for non-government entities. The reason is because it's a lot of work to support and they want you to be an easy customer, not because it's a bad thing to enable. It's true that government compliance is hard. In this case, Microsoft provides the validated libraries so the solution is easy. That said I would close this issue as a duplicate of #190 Both will be closed by #806 |
I did a small program that does a SftpClient connect call.
When I run the program on
a Windows 10 PC that I have administrator permissions, all works built with Visual Studio 2015
When I run the program on a Windows 7 PC (Visual Studio 2013) that I do not have administrator permissions,
I get an exception after the "connect" call
"no existing connection. Will make new connection to server 127.0.0.1
Exception has been thrown by the target of an invocation"
I am using
the differences between the 2 cases seems to be only
The text was updated successfully, but these errors were encountered: