How to fix SFTP: no matching cipher found
Recently I needed to connect to a SFTP server in a company to download export files. Unfortunately my
Debian machine was unable to connect with this server. The error message that I received was
unable to negotiate with the server and no matching cipher found.
It completed with a list of ciphers that are offered by the server.
$ sftp servername
Unable to negotiate with 220.127.116.11 port 22: no matching cipher found. Their offer: aes128-cbc,rijndael128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,rijndael192-cbc,aes256-cbc,rijndael256-cbc,email@example.com,cast128-cbc,firstname.lastname@example.org
In most cases this indicates that the server only supports old ciphers and your SFTP client don't
want to use those old ciphers because they are insecure. If fixing the SFTP server (change to other
cipher settings and/or upgrading) is not an option for you and it is not a problem that your
connection is insecure (because key data, your password and the transmitted data can be leaked out).
Then you can force SFTP to connect with an old cipher.
To do so you use the -c option of the SFTP command and give it one of the ciphers
that the server can offer. In this case I used the first on the list.
$ sftp -c aes128-cbc servername
Now you should be able to establish the SFTP connection. But keep in mind this connection is absolutely
not secure. Start upgrading and hardening your SFTP server today and stop using the -c
option. Still using the -c option on a server that support better ciphers keeps your connection insecure.