SSH or SFTP connection to the server is not established (connection is closed during handshake).

You run the code which uses SSH or SFTP client and ... got nothing. Connection is not established. SSH family of protocols is complex and various SSH servers interpret the specifications differently. This leads to the problem, when to connect and inter-operate with some server you need to select the right combination of SSH protocol settings.

So if you can't connect, please take the following steps. While the list seems to be long, it is a must if you need the connection to be successful.

  1. Wrap the call to Open() method with exception handling statement (try/catch, try/except etc. depending on the used language) and check the exception description. If you are catching an exception of type ESecureBlackboxError, this exception has ErrorCode property which provides numeric error code.
  2. Implement event handlers for OnError and OnDisconnect events. If the error is reported via OnError, analyze it's description and error code. OnDisconnect also reports the reason of closing the connection, if the server has sent the text. Note, that SSH and SFTP have the overlapping set of error codes that have different meaning. The error codes are reported by the server, so we don't have influence on them.

Socket error codes start with 10000 (e.g. 10060, 10053). You can find description of these errors in Google (type "Winsock error 10060" to get info on error 10060). Error 10053 (connection reset by peer) means that the server forcefully closed connection without properly notifying the client about the problem. This is BUGGY server.

If the error is not reported (this happens sometimes) or it doesn't give you meaningful and helpful information, proceed with problem solving as described below:

  1. Turn off compression. This is done via CompressionAlgorithms property of the client component.
  2. Run the sample applications which are located in various sub-folders of \Samples folder. If the samples work correctly, please study the differences between settings of the component in the sample applications and in your code. If the samples don't work, proceed to step 4.
  3. If no connection is established, check your firewall / router. It must allow outgoing connections to port 22 from your computer. Some firewalls detect well-known applications and let them out. So it happens sometimes that WinSCP or FileZilla connects and your code does not.
  4. Check the log of the sample project. If it contains "SSH error 114" text, this means that authentication was not successful. In this case you need to:
    • ensure that you have selected the right authentication mechanism (see AuthenticationTypes property of the client component). It's a common mistake to enable only password authentication, while the server uses misleadingly similar keyboard-interactive authentication.
    • if you use key-based authentication, see Step 6.
  5. If the server closes connection without reporting any error, this usually means that you are connecting to the buggy server, which doesn't interpret the client request correctly. What does this mean? The client sends the list of known algorithms to the server. The server must ignore the unknown entries in the list of algorithms. However many servers crash or close connection when they come across the name of the algorithm, that they don't understand. In particular, all 3.x versions of OpenSSH do this. In this case you need to turn off all algorithms besides the very old and well-known (listed below).

SecureBlacbox tries to detect the old servers automatically and disable the newer algorithms. This is controlled by AutoAdjustCiphers property. Try turning this property ON and see if this solves the problem. If it does not, turn the property off, then turn off all algorithms except the listed ones:

  1. known encryption algorithms: SSH_EA_3DES, SSH_EA_DES. Adjustable using EncryptionAlgorithms property of the client component.
  2. known key exchange algorithms: SSH_KEX_DH_GROUP, SSH_KEX_DH_GROUP_EXCHANGE. Adjustable using KEXAlgorithms property of the client component.
  3. known MAC algorithms: SSH_MA_HMAC_SHA1, SSH_MA_HMAC_MD5. Adjustable using MACAlgorithms property of the client component.
  4. known public key algorithms: SSH_PK_DSS, SSH_PK_RSA. Adjustable using PublicKeyAlgorithms property of the client component. Often specifying both DSS and RSA leads to the server crash. In this case you need to keep just one algorithm active.

If the problem is gone when you turn off the algorithms by hand and AutoAdjustCiphers doesn't solve the problem, then please tell us the exact value of ServerSoftwareName property and we will add this server to the list detectable by AutoAdjustCiphers.
If the problem is not gone, you can try some *new* algorithms (with higher numeric IDs) -- on some servers administrators disable and forbid old algorithms explicitly but enable new algorithms.

  • As of SecureBlackbox 10, keyboard-interactive authentication type is enabled by default. Some servers declare that they support this method, but if you turn it on (and it's on by default), the server will report an error and disconnect. So turning off keyboard-interactive authentication in AuthenticationTypes property is also necessary sometimes.
  • When you use key-based authentication, you need to load the keys correctly:
    1. you must load the private key (not a public key, no matter that the name of the authentication method says "public"). In some cases you don't have a private key (or don't want to load it before the connection is established). In these cases you can load the public key only and then you must provide the private key via OnPrivateKeyNeeded event of the client component.
    2. check the result returned by ElSSHKey.LoadPrivateKey() method;
  • It can happen that your user account doesn't allow you to access the server using the chosen subsystem (shell, command, sftp). In this case, the connection step is almost completed and then you get (or don't get) the error message and the connection is closed. In this case you can try other subsystem and then you need to contact your server administrator.
  • SFTP protocol has it's own versions (SecureBlackbox supports SFTP versions 2 to 6 in the client component). The server and the client must have the overlapping set of enabled versions. If the server is configured to support only SFTP 3 and your client has only versions 4 to 6 enabled, then you don't get a connection. You need to check and adjust Versions property of the client component. Moreover, some servers work correctly only when just one version (SFTP 3) is enabled. I.e. you might need to enable just SFTP 3 in order to successfully work with such server.

Ready to get started?

Learn more about SecureBlackbox or download a free trial.

Download Now