Recent 3.4.384 update has broken SFTP (missing ciphers)

francyci · March 14, 2018, 10:17pm

With the recently updated 3.4.384 Netdrive SFTP connections fail. On the client when attempting to connect you get an error “name : Connection Error”. From the ssh server we now get this error.

Mar 14 15:04:04 do-cm-01 sshd[186736]: Unable to negotiate with {{fullip}} port 53013: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc [preauth]

A successful connection from 3.4.369 used aes128-ctr.

sshd[186347]: debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none [preauth]
sshd[186347]: debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none [preauth]

I run mostly Debian servers these are the ciphers in the default environment. With this update there are no ciphers on the server in the stock config that are compatible with what latest Netdrive supports.

A Debian 9 system has these ciphers enabled by default

root@cm-01:~# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

A Debian 8 system has these ciphers.

root@deb8:~# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
macs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com
kexalgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

Please bring back the support for the AES CTR ciphers!

francyci · March 14, 2018, 10:35pm

Oh, and if you need it here is the contents of the logs set to the ‘DEBUG’ level.

C:\ProgramData\NetDrive3\nd3log_nd3svc_.log

[2018/03/14 15:29:23.893] [DEBUG   ] [   17040] [SERVICE   ] Begin cmd [set_loglevel] [MsgProcessor.cpp:537]
[2018/03/14 15:29:23.894] [DEBUG   ] [   17040] [SERVICE   ] Finish cmd [set_loglevel] [MsgProcessor.cpp:579]
[2018/03/14 15:29:30.997] [DEBUG   ] [   13580] [SERVICE   ] Begin cmd [connect] [MsgProcessor.cpp:537]
[2018/03/14 15:29:30.997] [DEBUG   ] [   13580] [SERVICE   ]  pipe id _4, [MsgProcessor.cpp:95]
[2018/03/14 15:29:31.013] [DEBUG   ] [   13580] [SERVICE   ] execute_child is succeed : "C:\Program Files (x86)\Bdrive\NetDrive3\x64\nd3svc.exe" -c _4 "root@cm-01.example.org-srv" [ParentPipe.cpp:70]
[2018/03/14 15:29:31.056] [DEBUG   ] [   13580] [SERVICE   ] CParentPipe::Init:: pipe \\.\pipe\nd_mount_4 is created [ParentPipe.cpp:487]
[2018/03/14 15:29:31.056] [DEBUG   ] [   13580] [SERVICE   ] CParentPipe::Init:: pipe \\.\pipe\nd_mount_4 is connected [ParentPipe.cpp:495]
[2018/03/14 15:29:31.150] [ERROR   ] [   13580] [SERVICE   ] MsgProcessor::Mount:: failed to mount. label: root@cm-01.example.org-srv, pipe: \\.\pipe\nd_mount_4 [MsgProcessor.cpp:140]
[2018/03/14 15:29:31.374] [DEBUG   ] [   13580] [SERVICE   ] Finish cmd [connect] [MsgProcessor.cpp:579]

C:\ProgramData\NetDrive3\nd3log\nd3svc_root@cm-01.example.org-srv.log

[2018/03/14 15:29:31.056] [ERROR   ] [    6908] [SERVICE   ] [ nd3 sdk version - child nd3svc : 3.4.384 ] [Child.cpp:132]
[2018/03/14 15:29:31.056] [DEBUG   ] [    6908] [SERVICE   ] StartChild:: connected to pipe \\.\pipe\nd_mount_4 [Child.cpp:282]
[2018/03/14 15:29:31.056] [DEBUG   ] [    6908] [SERVICE   ] StartChild:: created to client pipe of \\.\pipe\nd_mount_4 [Child.cpp:291]
[2018/03/14 15:29:31.056] [MESSAGE ] [    6908] [FILESYSTEM] FS_Initialize
[2018/03/14 15:29:31.057] [DEBUG   ] [    6908] [SERVICE   ] CChildPipe::request_info:: 5360 received response [ChildPipe.cpp:106]
[2018/03/14 15:29:31.058] [DEBUG   ] [    6908] [SERVICE   ] StartCache:: root@cm-01.example.org-srv[4] [Child.cpp:156]
[2018/03/14 15:29:31.067] [DEBUG   ] [    6908] [SERVICE   ]  CACHE PATH : C:\ProgramData\NetDrive3\_cache_\root@cm-01.example.org-srv [Child.cpp:171]
[2018/03/14 15:29:31.067] [DEBUG   ] [    6908] [SERVICE   ]  CACHE PATH : C:\ProgramData\NetDrive3\_cache_\root@cm-01.example.org-srv [Child.cpp:175]
[2018/03/14 15:29:31.068] [DEBUG   ] [    6908] [CACHE     ]  Cache path C:\ProgramData\NetDrive3\_cache_\root@cm-01.example.org-srv\, 354,969,268,224 bytes left
[2018/03/14 15:29:31.068] [MESSAGE ] [    6908] [CACHE     ] Cache initialized : C:\ProgramData\NetDrive3\_cache_\root@cm-01.example.org-srv, Storage limit : 4,294,967,296 bytes
[2018/03/14 15:29:31.068] [DEBUG   ] [   16648] [CACHE     ] Cache quota manager started
[2018/03/14 15:29:31.089] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Rebuilt URL to: sftp://cm-01.example.org:22/
[2018/03/14 15:29:31.094] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION]   Trying 2001:db8::6...
[2018/03/14 15:29:31.094] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] TCP_NODELAY set
[2018/03/14 15:29:31.095] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Connected to cm-01.example.org (2001:db8::6) port 22 (#0)
[2018/03/14 15:29:31.103] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Failure establishing ssh session
[2018/03/14 15:29:31.103] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Closing connection 0
[2018/03/14 15:29:31.114] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Rebuilt URL to: sftp://cm-01.example.org:22/
[2018/03/14 15:29:31.114] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Hostname cm-01.example.org was found in DNS cache
[2018/03/14 15:29:31.114] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION]   Trying 2001:db8::6...
[2018/03/14 15:29:31.114] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] TCP_NODELAY set
[2018/03/14 15:29:31.114] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Connected to cm-01.example.org (2001:db8::6) port 22 (#1)
[2018/03/14 15:29:31.121] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Failure establishing ssh session
[2018/03/14 15:29:31.121] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Closing connection 1
[2018/03/14 15:29:31.132] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Rebuilt URL to: sftp://cm-01.example.org:22/
[2018/03/14 15:29:31.132] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Hostname cm-01.example.org was found in DNS cache
[2018/03/14 15:29:31.132] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION]   Trying 2001:db8::6...
[2018/03/14 15:29:31.132] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] TCP_NODELAY set
[2018/03/14 15:29:31.132] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Connected to cm-01.example.org (2001:db8::6) port 22 (#2)
[2018/03/14 15:29:31.139] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Failure establishing ssh session
[2018/03/14 15:29:31.139] [MESSAGE ] [    6908] [NETWORK   ] [INFORMATION] Closing connection 2
[2018/03/14 15:29:31.150] [DEBUG   ] [    6908] [PROTOCOL  ] Protocol::Connect with explicit FTPS url:sftp://cm-01.example.org:22, return 1
[2018/03/14 15:29:31.150] [MESSAGE ] [    6908] [CACHE     ] Uninitialize cache...
[2018/03/14 15:29:31.370] [DEBUG   ] [   16648] [CACHE     ] Cache quota manager stopped
[2018/03/14 15:29:31.370] [MESSAGE ] [    6908] [CACHE     ] Cache uninitialized

support1 · March 15, 2018, 2:01am

@francyci Please refer to following topic.

Thanks for your feedback.

francyci · March 15, 2018, 3:31am

@support1

I really don’t think that is a very helpful answer. I am not the administrator of some of the servers I need to connect to, and so changing the accepted ciphers is not an option.

Also, the CBC mode is generally considered to be less secure than the CTR mode, and so is not enabled in the default cipher list on many systems, including any system running OpenSSH newer then 6.7

http://www.openssh.com/txt/release-6.7

OpenSSH 6.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
…
Potentially-incompatible changes

sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.

https://calomel.org/openssh.html

SECURITY NOTE: Notice that we have specified the “Ciphers” for the client and server config files. It is important to only use the Advanced Encryption Standard (AES) encryption with stateful-decryption counter (CTR) only. AES with CBC is vulnerable to the Plaintext Recovery Attack Against SSH.

Please find a way to enable the AES*-CTR ciphers

system · March 22, 2018, 3:31am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.