Dienstverlenging
Professionals
Recently I needed to connect to a SFTP server in a company to download export files. Unfortunately my Debian machine was unable to connect with this server. The error message that I received was unable to negotiate with the server and no matching cipher found. It completed with a list of ciphers that are offered by the server.
$ sftp servername Unable to negotiate with 1.2.3.4 port 22: no matching cipher found. Their offer: aes128-cbc,rijndael128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,rijndael192-cbc,aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc,rijndael-cbc@lysator.liu.se Connection closed Connection closed.
In most cases this indicates that the server only supports old ciphers and your SFTP client don't want to use those old ciphers because they are insecure. If fixing the SFTP server (change to other cipher settings and/or upgrading) is not an option for you and it is not a problem that your connection is insecure (because key data, your password and the transmitted data can be leaked out). Then you can force SFTP to connect with an old cipher.
To do so you use the -c option of the SFTP command and give it one of the ciphers that the server can offer. In this case I used the first on the list.
$ sftp -c aes128-cbc servername
Now you should be able to establish the SFTP connection. But keep in mind this connection is absolutely not secure. Start upgrading and hardening your SFTP server today and stop using the -c option. Still using the -c option on a server that support better ciphers keeps your connection insecure.