Subject: SFTP with RSA works but can't get to work with DSS
Date: 2013-02-15 18:50:06
From: Terry Campbell
Source: sftp-rsa-works-can-t-get-work-dss

We been using SFTP product in a production environment 4-5 months to successfully pull data from another server via the Sftp object and the RSA SshHostKeyAlgorithm. Recently there have been changes on the other end and we're getting: "Atp.Net.SftpException: The client and the server have no common algorithms." Some analysis indicated that the other server is not using RSA but rather DSA. So we changed code to make the SshHostKeyAlgorithm configurable and tried using the DSS enumerated value rather than RSA. But in our local testing, when the  "Use FIPS compliant algorithms for encryption, hashing and signing" setting is enabled, we can't get it to work, but rather get "Key exchange failed" on Sftp's Connect. If we disable this setting in Local Security Policy and set Atp.Security.SecuritySettings.FipsAlgorithmsOnly = false in code, the Sftp Connect and Authenticate methods work fine.
Only Windows Use Fips enabled --> Key exchange failed
Only FipsAlgorithmsOnly = "true" --> Connect / Authenticate worked
Both false --> Connect / Authenticate worked
Both "true" --> Connect / Authenticate worked
Only Windows Use Fips enabled --> Key exchange failed
Only FipsAlgorithmsOnly = "true" --> Key exchange failed
Both false --> Connect / Authenticate worked
Both "true" --> Key exchange failed

1. Can you help? The other side doesn't want to switch to RSA, claiming it will break their other feeds.
2. Also, why doesn't DSA work like RSA? Basically we want DSA to work like RSA was working.

We've tested primarily using default values for 
 HostKeyAlgorithms = SshHostKeyAlgorithm.DSS
The server is not accessible by you.

The product version that I see in, say, Atp.Sftp.dll is

If we can't get it to work soon, we'll need to look at competing products.


---------------------------------------------------------------------- Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor who sold you the license and ask for your money back. Back to ComponentPro Q&A Forum Index