Page 1 of 1
Weak encryption with SFTP plugin
Posted: 2014-05-02, 14:36 UTC
by sugi
Hello,
I'm having some issues with the weak encryption supported by the SFTP plugin.
I have disabled weak crypto algorythms on my ssh server, following the suggestions on bettercrypto. org. Now the result is that the SFTP plugin is unable to connect.
JuiceSSH is able to connect just fine, incidcating that this is not a system issue, but merely a lack of support in the plugin.
Is there any chance to get the support for better encryption?
Posted: 2014-05-02, 15:09 UTC
by ghisler(Author)
Can you give me more information, please?
- which ciphers are not supported?
- how do I need to configure the ssh server (on ghisler.com, using CentOD Linux) to reproduce the problem?
Posted: 2014-05-02, 15:31 UTC
by sugi
Wow, thanks for the quick reply.
My ssh server is configured (/etc/ssh/sshd_config with the following settings.
Code: Select all
Ciphers aes256-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
The details about the configuration can be found on bettercrypto. org. The PDF file on the top right explains the reasons why the other algorythms were disabled. One being forward secrecy in case the key is leaked for any reason..
After configuring the ssh server and trying to login with a client that doesn't support the necessary algorythms I have an error like the following in /var/log/auth.log. Also the Total Commander display a similar error message.
Code: Select all
May 2 16:06:18 aerith sshd[9542]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Posted: 2014-05-04, 14:31 UTC
by ghisler(Author)
Edit: The problem seems to be SHA2-256. The sshj library from 2012 only supports MD5 and SHA1. I will check whether I can add SHA-256 somehow.
Posted: 2014-05-04, 15:42 UTC
by sugi
Thanks, that would make Total Commander unique, as I didn't find another app that would allow good encryption.
Posted: 2014-05-05, 15:21 UTC
by ghisler(Author)
Please try the following beta:
tcandroidsftp103b1.apk
I cannot guarentee that it will work - I had to write quite a bit of code to make it work:
- hmac-sha2-512,
- hmac-sha2-256,
- diffie-hellman-group-exchange-sha256,
- diffie-hellman-group-exchange-sha1
The following was already supported, but it's weaker than the above two:
- diffie-hellman-group14-sha1
I tested all with ghisler.com, but didn't turn off the weaker algorithms - I just put the new ones in front and checked in the debugger that they were used.
Here are the changed sources:
sshj_changes_sha2.zip
Posted: 2014-05-05, 16:28 UTC
by sugi
It's working like a charm!
Login is working well, and files are copying right now.
Thanks a lot.
Posted: 2014-05-06, 14:34 UTC
by ghisler(Author)
Nice to hear that! Currently hmac-sha2-512 is the default, but I will probably make hmac-sha2-256 the default. The encryption uses 256bit too, so using 512bit for authenticity seems to be overkill.