Score:0

Does FileZilla Server require a public key to work?

ug flag

I've installed FileZilla Pro Server to host my FTP/SFTP site.

If I try to log into the SFTP server using FileZilla client, it works just fine.

But we have another company trying to log in and they are getting errors.

2022-11-29 13:25:39.207 FTP< CONNECT ftp.domain.com:22

processLoginCommand(): Exception while Connecting for InbdProfId: 5915 UserName: XXXXXXXXXedi

Exception: com.transentric.agilink.ftp.core.exception.TransentricSSHException: com.sshtools.ssh.SshException: Failed to process key exchange [com.sshtools.ssh.SshException] [com.sshtools.ssh.SshException]

We have been unable to figure out why.

FileZilla has some public/private key stuff that can be set up. I'm not doing any of that. I was thinking that, since I can log in using FileZilla client using a regular username and password, that it shouldn't be necessary.

But there is a public key section in FileZilla Server. Does anyone know when this key is required to be set up?

enter image description here

so flag
The key exchange (aka KEX) has nothing to do with the user's public key. Most likely the client's SSH implementation is not compatible with your SFTP server (they cannot agree on common KEX algorithm). I do not know if FileZilla Pro Server has any configuration options regarding KEX. If it does, check if it allows enabling some additional algorithms (possibly less secure), that the client might support.
Score:1
cn flag

SSH key exchange establishes a one-time session key, and authenticates the server via its host key. This is different from user authentication, where user keys or passwords or Kerberos are among the options.

The entire point of the ssh protocol is to establish an encrypted channel where it is possible to send such weak authentication as passwords over insecure networks. Compare to ensuring a TLS encrypted https session exists before sending secrets to a web server.

Key exchange algorithms are updated over time as cryptography research makes older methods insecure. Have them update their sftp software to be sure it has modern algorithms.

While troubleshooting this, start a packet capture on the server for its ssh port. Wireshark can do some detailed dissection of ssh protocol, to see what happens in the packets.

Get the ssh client to say what KEX was attempted. For example, OpenSSH client at higher verbosity will say exactly what the client and server has for algorithms. ssh -vv and examine the algorithms around the KEXINIT events. You are not using OpenSSH, so also read the documentation on how exactly the negotiation works in your implementation.

Jonathan Wood avatar
ug flag
Thanks. Unfortunately, other company isn't very communicative. But I'll use your answer to increase my understanding.
John Mahowald avatar
cn flag
You can ssh to and examine KEX on your own server to see what is offered. Getting someone technical from the other party, to explain what version of software they use, and possibly to update it, is another matter.
Jonathan Wood avatar
ug flag
That is sort of outside my area of expertise. I may need to bring someone else in on this. Are you by chance available for a bit of consulting?
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.