[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#877800: WinSCP 5.1x.x erroneously forced to use a weaker key-exchange due to missing patch to OpenSSH compat.c

Package: openssh-server
Version: 1:7.4p1-10+deb9u1
Severity: important

The commit/patch at
https://github.com/openssh/openssh-portable/commit/2985d4062ebf4204bbd373456a810d558698f9f5
was never picked up and merged, and now that WinSCP has recently
released version 5.11(.x), this is causing problems when wanting to use
this WinSCP version to connect to an ssh server running on Debian 9.1
that is configured to only accept diffie-hellman-group-exchange-sha256,
using this setting in sshd_config:
KexAlgorithms diffie-hellman-group-exchange-sha256

With the above setting, the client cannot connect at all and sshd logs:
fatal: No supported key exchange algorithms found [preauth]

Commenting it out, however, causes the ssh server to erroneously force a
weaker key-exchange (diffie-hellman-group14-sha1) on the user.

Connecting to a Debian 8.9 ssh server with WinSCP 5.11.1 works fine.
Also, when downgrading to WinSCP 5.9.6 the problem does not occur.

See also the report at: https://winscp.net/forum/viewtopic.php?t=25354
Reply to: