SecureBlackbox 16: Troubleshooting: the SSH or SFTP connection to the server is not established (the connection is closed during the handshake)


The SSH family of protocols is complex and various SSH servers interpret the specifications differently; you can follow the steps below to resolve connection problems by selecting the right combination of SSH protocol settings.

  1. Wrap the call to the Open method with an exception handling statement and check the exception description. If you are catching an exception of type ESecureBlackboxError, this exception has an ErrorCode property that provides a numeric error code.
  2. Implement event handlers for the OnError and OnDisconnect events. If the error is reported via OnError, analyze its description and error code. OnDisconnect also reports the reason for closing the connection, if the server has sent the text.

Note that SSH and SFTP have an overlapping set of error codes that have different meanings. The error codes are reported by the server, not SecureBlackbox.

Socket error codes start with 10000 (e.g., WinSock errors 10060 or 10053). Error 10053 (connection reset by peer) indicates that the server has forcefully closed the connection without properly notifying the client about the problem.

Troubleshoot Other Problems

If the error is not reported, or it doesn't give you meaningful and helpful information, proceed with the following steps:

  1. Turn off compression. This is done via the CompressionAlgorithms property of the client component.
  2. Run the sample applications, which are located under the Samples folder. If you can run the samples, it may be possible to resolve the problem by checking your code against the sample code.
  3. If no connection is established, check your firewall or router. It must allow outgoing connections to port 22 from your computer. Some firewalls detect well-known applications and let them out. So it can happen that WinSCP or FileZilla connects and your code does not.
  4. Check the log of the sample project. If it contains "SSH error 114" text, authentication was not successful. In this case, check the following:
    • Ensure that you have set the client component's AuthenticationTypes property to the right authentication mechanism. A common problem is that only password authentication is enabled while the server uses keyboard-interactive authentication.
    • If you use key-based authentication, see "Troubleshoot the Authentication Method".
  5. If the server closes the connection without reporting any error, this usually means that you are connecting to a server that is not interpreting the client request correctly. The client sends the list of known algorithms to the server, and the server must ignore the unknown entries in the list of algorithms. However, many servers crash or close the connection when they come across the name of an unrecognized algorithm. In particular, all 3.x versions of OpenSSH do this. In this case, you need to turn off all algorithms besides the very old and well-known (listed below).

Selectively Disable Algorithms

SecureBlacbox tries to detect these old servers automatically and disable the newer algorithms. This is controlled by the AutoAdjustCiphers property. Try enabling this property to solve the problem. If it does not, disable the property and then disable all algorithms except the listed ones:

  1. Known encryption algorithms: SSH_EA_3DES, SSH_EA_DES. Adjustable using the EncryptionAlgorithms property of the client component.
  2. Known key exchange algorithms: SSH_KEX_DH_GROUP, SSH_KEX_DH_GROUP_EXCHANGE. Adjustable using the KEXAlgorithms property of the client component.
  3. Known MAC algorithms: SSH_MA_HMAC_SHA1, SSH_MA_HMAC_MD5. Adjustable using the MACAlgorithms property of the client component.
  4. Known public key algorithms: SSH_PK_DSS, SSH_PK_RSA. Adjustable using the PublicKeyAlgorithms property of the client component. Often specifying both DSS and RSA leads to a server crash. In this case, you need to keep just one algorithm active.

If the problem is gone when you turn off the algorithms by hand and AutoAdjustCiphers does not solve the problem, then please send us the exact value of the ServerSoftwareName property, and we will add this server to the list detectable by AutoAdjustCiphers.

If the problem is not gone, you can try the following to use newer algorithms (with higher numeric Ids) -- on some servers, administrators disable and forbid old algorithms explicitly but enable new algorithms.

Troubleshoot the Authentication Method

Troubleshooting steps from the preceding sections may lead you to troubleshoot the authentication method. Below is a list of things to try:

  • Turn off keyboard-interactive authentication with the AuthenticationTypes property. As of SecureBlackbox 10, the keyboard-interactive authentication type is enabled by default. Some servers declare that they support this method but report an error during authentication and disconnect.
  • When you use key-based authentication, ensure that you are loading the keys correctly:
    1. You must load the private key. In some cases, you do not have a private key (or do not want to load it before the connection is established). In these cases, you can load the public key only and then you must provide the private key via the OnPrivateKeyNeeded event of the client component.
    2. Check the result returned by the ElSSHKey.LoadPrivateKey method;
  • It can happen that your user account doesn't allow you to access the server using the chosen subsystem (shell, command, SFTP). In this case, the connection step is almost completed and then you get (or don't get) an error message and the connection is closed. In this case, you can try another subsystem. You may need to contact your server administrator.
  • The SFTP server and client must have an overlapping set of enabled versions. If the server is configured to support only SFTP 3 and your client has only versions 4 to 6 enabled, the connection will fail. You need to check and adjust the Versions property of the client component. Moreover, some servers work correctly only when just one version (SFTP 3) is enabled. That is, you might need to enable just SFTP 3 in order to successfully work with such a server.

    SecureBlackbox supports SFTP versions 2 to 6 in the client component.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.