Re: Identifying a buggy SFTP server found at an archaeological dig

[Ron Frederick <ronf%timeheart.net@localhost>]

On May 8, 2024, at 1:18 AM, Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> wrote:

Ron Frederick <ronf%timeheart.net@localhost> writes:

A quick search for that identification string with Google seems to point at a
“Chilkat sFTP” server

Yeah, I'd seen that too but saw other info that it used "SSH-2.0-
Chilkat_<version>", and I'm nervous about adding a bugfix for a particular
broken server that may end up misidentifying non-broken servers, either ones
that use the same generic string or ones that fixed it at some point but since
the string doesn't include a version you can't tell who's running the fixed
version.  From this page:

https://www.chilkatsoft.com/refdoc/cssftpref.html

it looks like they disabled stuff like HMAC-MD5, RIPEMD-160, and similar only
in the very latest version (April 2024), so perhaps "SSH-2.0-FTP Server ready"
= broken, "SSH-2.0-Chilkat_<version>" = non-broken?

The version in the last link I sent was 9.5.0.43, which is actually older than the Chilkat release notes seem to cover (oldest is 9.5.0.75 from 2018), but that seems consistent with 9.5.0.43 being from 2014. If you could find a way to download that version (perhaps from one of the Internet archives?), you might be able to confirm what server identifier it defaults to. Since this appears to be a commercial product, though, that may be easier said than done. You’re probably better off reaching out to the company to see when they added support for the current SSH_MSG_KEY_DH_GEX_REQUEST (34) rather than SSH_MSG_KEY_DH_GEX_REQUEST_OLD (30).

Alternately, you could try and work around this by having your client not advertise any of the group-exchange kex algorithms (anything starting with "diffie-hellman-group-exchange-“).

-- 
Ron Frederick
ronf%timeheart.net@localhost