Hello, Due to some known vulnerabilities with various weak ciphers and algorithms, we have removed them from our FTP software today, but this had the side effect of breaking our SFTP sensors. Are you perhaps using an older OpenSSH library than our FTP software? Ours uses OpenSSH 8.1.0.0. Do you have any way for us to add more cipher options to this sensor? For now, we have had to re-enable a weak KEX cipher to make the sensor work again, but this is not a long term fix. I find it troubling that you support older, weak Diffie-Hellman KEX algorithms, but not newer, secure ones. It might give someone the impression that your company doesn't care about security. =)
Details:
Failed to connect. Please check the SSH log of the target device or try the Compatibility Mode of the sensor's SSH engine and consider updating the target system's operating system. Reason: ssh_connect failed (-1)kex error : no match for method kex algos: server [ diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256], client [ curve25519-sha256@libssh.org, ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1]
We are using PRTG 20.3.61.1649+ I didn't see anything in the patch notes about updated KEX algorithms, so I didn't update yet. Let me know if there is an undocumented change on this perhaps.
Article Comments
Hello, I'm not sure I understand your response. Anything with SHA1 is regarded as insecure. PRTG currently only seems to have these KEX algorithms available: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
Our FTP software from Globalscape (EFT) does not have support for these two: curve25519-sha256@libssh.org, ecdh-sha2-nistp256,
So, after we disabled the two SHA1 KEX algorithms, the SFTP sensor fails, because there is no common KEX algorithm between the client and server.
What I am asking is if PRTG can ADD the more secure versions of the diffie-hellman KEX algorithms: diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256
Nov, 2020 - Permalink
Hi Peter,
I forwarded your question to our development an received additional feedback. At the moment, we don't use the latest version of openssh. Therefore, the error occurs. In addition, we are not able to enable another cipher set for this Sensor, I'm sorry.
Nov, 2020 - Permalink
Hi Moritz,
when do you plan to update the kex algos for this sensor?
We want to monitor the connectivity to a SFTP server of DHL/Deutsche Post (ebibkom.deutschepost.de). It seems that PRTG is not compatible:
Reason: ssh_connect failed (-1)kex error : no match for method kex algos: server [diffie-hellman-group14-sha256@ssh.com,diffie-hellman-group-exchange-sha256], client [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1]
Since this is not our server, we can not change its settings.
Nov, 2021 - Permalink
Hi there,
I asked the development for an update and they are currently checking when and how this can be implemented. Please note that this issue is currently not high prioritized and therefore, the process takes longer than usual. However, we are aware if this feature request and are working on it.
Nov, 2021 - Permalink
Hi there,
Please let me know which certain vulnerabilities are covered with your new ciphers? In this way, I can reach out to our developers to receive more information.
Nov, 2020 - Permalink