Beginner : sftp doesnt work

billy5 · June 22, 2018, 1:59pm

Hello,
I really appreciate any help on this.
Have to connect to external server via sftp. Our server is Linux machine

Linux our.server.com 3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4 15:04:05
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I generated the keys, put them in /root/.ssh, sent public one to the customer.

Well something doesn't work. Here is how it looks like

[root@kestrel tmp]# sftp -vvv user_name@xxxx.yyyyyy.ca
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxxx.yyyyyy.ca [216.220.60.44] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version SilverSHielD
debug1: no match: SilverSHielD
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "xxxx.yyyyyy.ca" from file "/roo
t/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-
sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hel
lman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-n
istp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed2551
9-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com
,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,e
cdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,ae
s128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndae
l-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,um
ac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hma
c-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@opens
sh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-1
28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,um
ac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hma
c-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@opens
sh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-1
28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh
.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up1-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: blowfish-cbc,twofish256-cbc,twofish192-cbc,twofish128
-cbc,aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-c
bc,idea-cbc,cast128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,blowfish-ctr,twofish128
-ctr,twofish192-ctr,twofish256-ctr,serpent128-ctr,serpent192-ctr,serpent256-ctr,
idea-ctr,cast128-ctr
debug2: kex_parse_kexinit: blowfish-cbc,twofish256-cbc,twofish192-cbc,twofish128
-cbc,aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-c
bc,idea-cbc,cast128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,blowfish-ctr,twofish128
-ctr,twofish192-ctr,twofish256-ctr,serpent128-ctr,serpent192-ctr,serpent256-ctr,
idea-ctr,cast128-ctr
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-ripemd,hmac-ripemd160@o
penssh.com,hmac-sha256@ssh.com,umac-32@openssh.com,umac-64@openssh.com,umac-96@o
penssh.com,umac-128@openssh.com
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-ripemd,hmac-ripemd160@o
penssh.com,hmac-sha256@ssh.com,umac-32@openssh.com,umac-64@openssh.com,umac-96@o
penssh.com,umac-128@openssh.com
debug2: kex_parse_kexinit: none,zlib,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: setup hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Received disconnect from 216.220.60.44: 6: Invalid packet
Couldn't read packet: Connection reset by peer
[root@kestrel tmp]#

---------- Post updated at 12:50 PM ---------- Previous update was at 12:47 PM ----------

This is .ssh dir

[root@kestrel .ssh]# pwd
/root/.ssh
You have new mail in /var/spool/mail/root
[root@kestrel .ssh]# ls -ltr
total 24
-rw-------  1 root root  406 Mar  3  2017 authorized_keys
-rw-r--r--  1 root root  410 Jun 21 11:37 user_name.pub
-rw-------  1 root root 1679 Jun 21 11:37 user_name
-rwx------  1 root root 1679 Jun 21 13:53 id_rsa
-rwx------  1 root root  410 Jun 21 13:54 id_rsa.pub
-rw-r--r--. 1 root root 1773 Jun 21 14:33 known_hosts

---------- Post updated at 12:59 PM ---------- Previous update was at 12:50 PM ----------

Customer thinks it may be an old or weaker cipher algorithms being used at our end. Is there a way to check if that is the cause of the problem?

Thank you

jim_mcnamara · June 22, 2018, 11:08pm

You must first have placed your ssh key ( from kestrel /root/.ssh directory )into the remote directory, the .ssh directory in the login directory tree for the remote user. The .ssh directory there has to have correct permissions. Your local .ssh looks fine. Inside. Verify that the correct permissions are set on the directory /root/.ssh

I cannot tell if those are set up correctly. Please verify. It is usually the cause of this kind of problem.

bakunin · June 22, 2018, 11:23pm

Sorry, but it doesn't look fine at all: id_rsa holds the private key and this file should be 600 at most. Most modern ssh-versions react quite uncool when they encounter excessive filemodes. The x-flag should also be removed from id_rsa.pub (it won't execute anyway, no?).

I hope this helps.

bakunin

babinlonston · July 9, 2018, 2:33am

@Billy5

Configure your sshd_config with below Ciphers. Make sure to comment existing Chiphers line and append with below one.

If your SSHD configuration not having any Chiphers line Just add the below to your sshd configuration.

# vi /etc/ssh/ssh_config

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

# sudo systemctl reload sshd

Let us know how it went through.

Thanks & Regards,
Bobin Lonston