AWS SFTP HMAC server algorithm not found

0

Hi, I re-deployed a AWS Transfer Family SFTP Server in test environment, and i am able to connect to it, using my local key-pair, through command line: sftp username@sftp.test.com

I have a customer that is trying to connect using Azure connector SFTP SSH as a sftp client to the test environment, and gets the following error message: Failed to create connection { "status": 400, "message": "Server HMAC algorithm not found" ... "source": "sftpwithssh-we.azzconn-we003.p.azurewebites.net"}

They are able to connect into another SFTP production server using also a Azure SFTP-SSH connector.

Since only the test environment was redeployed i went to check if any upgrades in the algorithms as happened, so I compared both MAC for the sftp servers and they are identical:

&> ssh -Q mac sftp.test.com hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com

Any idea is greatly apprecciated, thanks

asked 4 months ago649 views
1 Answer
1
Accepted Answer

You might want to check which security policy is set for your AWS Transfer server: https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html

I don't know exactly what the Azure connector supports, but my guess would be that your earlier Transfer server had been deployed with an older policy by default, and your new deployment uses a newer, more restrictive policy version that the Azure side doesn't support. This would explain why your local test works; your local client would simply support more modern cryptographic mechanisms than the Azure connector does.

Even if the production Transfer server is using the same settings as your new test Transfer server, that doesn't guarantee that the Azure connector is configured the same way for your production environment as the other connector for the test environment.

EXPERT
Leo K
answered 4 months ago
  • Yes! I did compare sftp prod server and it has TransferSecurityPolicy-2018-11, and test sftp server deployed with default which is currently TransferSecurityPolicy-2024-01. I will define the SecurityPolicyName: 'TransferSecurityPolicy-2018-11' in cloudformation and redeploy to verify. Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions