Re: Identifying a buggy SFTP server found at an archaeological dig

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>

Subject: Re: Identifying a buggy SFTP server found at an archaeological dig

From: Ron Frederick <ronf%timeheart.net@localhost>

Date: Tue, 14 May 2024 18:20:26 -0700

On May 12, 2024, at 3:08 AM, Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost> wrote:

Ron Frederick <ronf%timeheart.net@localhost> writes:
Alternately, you could try and work around this by having your client not
advertise any of the group-exchange kex algorithms (anything starting with
"diffie-hellman-group-exchange-“).

That's somewhat overkill, I don't want to remove any GEX capability just to
deal with one broken server. I think:

"SSH-2.0-FTP Server ready" -> SSH_MSG_KEY_DH_GEX_REQUEST_OLD
"SSH-2.0-Chilkat_<version>" -> SSH_MSG_KEY_DH_GEX_REQUEST

will do for now, since it fixes the problem with the broken implementation and
doesn't affect any other implementations (I've already got code paths in there
for other implementatons that need this, it's just that the behaviour of this
particular Chilkat server was a new one for me). I'll report back if this
causes any problems in case the info is of use to others.

This assumes that the Chilkat SSH version string changed at the same time as the support for GEX_REQUEST was added. Otherwise, there might be versions with the new version string that still only support GEX_REQUEST_OLD or vice-versa.

It’s also not clear whether the version string change was actually a change in the Chilkat defaults, or if one or both of them was actually explicit configuration on a specific server and not applicable to other server instances (though I’ll admit that’s a bit unlikely).

That said, if this works for the servers you need to connect to, that’s great...

--
Ron Frederick
ronf%timeheart.net@localhost