End of IO Stream Read

[SpaceBison]

I'm having a problem establishing a SCP connection to my PC. I can't seem to authorize by password. AndFTP gives me the following message:

Code: Select all

Session.connect: java.io.IOException: End of IO Stream Read

sshd logs on LogLevel VERBOSE are rather platonic:

Code: Select all

sshd[13961]: Connection from 192.168.10.139 port 33726 on 192.168.10.102 port 22
sshd[13961]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024


The logs on LogLevel DEBUG3 look like this:

Code: Select all

sshd[13995]: debug3: fd 5 is not O_NONBLOCK
sshd[13995]: debug1: Forked child 14020.
sshd[13995]: debug3: send_rexec_state: entering fd = 8 config len 427
sshd[13995]: debug3: ssh_msg_send: type 0
sshd[13995]: debug3: send_rexec_state: done
sshd[14020]: debug3: oom_adjust_restore
sshd[14020]: debug1: Set /proc/self/oom_score_adj to 0
sshd[14020]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
sshd[14020]: debug1: inetd sockets after dupping: 3, 3
sshd[14020]: Connection from 192.168.10.139 port 40760 on 192.168.10.102 port 22
sshd[14020]: debug1: Client protocol version 2.0; client software version JSCH-0.1.51
sshd[14020]: debug1: no match: JSCH-0.1.51
sshd[14020]: debug1: Enabling compatibility mode for protocol 2.0
sshd[14020]: debug1: Local version string SSH-2.0-OpenSSH_7.2
sshd[14020]: debug2: fd 3 setting O_NONBLOCK
sshd[14020]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
sshd[14020]: debug2: Network child is on pid 14021
sshd[14020]: debug3: preauth child monitor started
sshd[14020]: debug3: privsep user:group 99:99 [preauth]
sshd[14020]: debug1: permanently_set_uid: 99/99 [preauth]
sshd[14020]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
sshd[14020]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
sshd[14020]: debug3: list_hostkey_types: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
sshd[14020]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256 [preauth]
sshd[14020]: debug3: send packet: type 20 [preauth]
sshd[14020]: debug1: SSH2_MSG_KEXINIT sent [preauth]


Using the "Legacy SSH" option does not help. I'm running the current version of AndFTP and OpenSSH_7.2p2, OpenSSL 1.0.2g. Both devices are on the same subnet.

[support]

Does it work with another client? (WinSCP under desktop)?

[SpaceBison]

I tried connecting from a PC with both OpenSSH and WinSCP and encountered no problems. The thing is, AndFTP worked with my server before and I didn't change its configuration. I thing it might have something to do with a recent update of the app.

[SpaceBison]

It works with both WinSCP and OpenSSH clients and it used to work with an earlier version of AndFTP.

[support]

Do you have any security app installed? Such as Avast Mobile Security?
If so, could you try to disable it temporary to see if it works?

We didn't modify anything at network layer in AndFTP so there is no reason it worked before and it fails now.

[SpaceBison]

I managed to work around the problem - switching from SCP to SFTP caused AndFTP to start connecting to my server.

[decula]

This is being caused by sshd being configured to remove support for the diffie-hellman-group1-sha1 as a KEX algorithym. This is a security issue with SHA1 making it easier for MITM attacks.

references:
http://stackoverflow.com/questions/3728 ... tream-read
https://blog.gdssecurity.com/labs/2015/ ... -tool.html
https://weakdh.org/sysadmin.html

a quick fix is to edit sshd_config on the server and add/modify the KEX algos to add the missing sha1 back, similar to (last comma separated entry):

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

**** THIS IS A SECURITY HOLE **** but works