By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SFTP Connector Authentication Failing with nondescript "Key exchange failed" error. Credentials and Trusted Host Key are 100% correct

0

Trying to connect to a SFTP server via an AWS Transfer Connector. SFTP server is hosted by a 3rd party and pull files in to S3. I am 100% sure that my connector is set up correctly, URL is valid, and the credentials in secrets manager are the correct values (Username, Password, and PrivateKey) and formatted correctly per the documentation from AWS. Very well versed in SFTP, PKI-based authentication, etc. and when I connect to this server outside of AWS with the exact same parameters (via my laptop's CLI and SFTP client (CyberDuck on Mac and WinSCP on a Windows machine)) everything works perfectly without issue. However, when I try to test the connection via the connector in the AWS Console, I get a generic, nondescript error message that says "Key exchange failed" (see below image) with 0 details around what exactly happened during the key exchange that went wrong. Key pair is ssh-rsa, I've verified fingerprints of host key matches what is in connector UI, I've parsed through logs in SFTP clients, etc. Everything outside of AWS clearly shows every part of the connection is working flawlessly (including Key Exchange and Host Key validation). Can someone please help? Errors: Transfer Connector Error

  "status-code": "FAILED",
    "failure-code": "CONNECTION_ERROR",
    "failure-message": "Key exchange failed",
Topics
Migration & Modernization
Tags
AWS Transfer for SFTPAWS Transfer Family
Language
English
jpetro
asked 7 months ago460 views
3 Answers
0

Hi! From the error, seems likely that the connector failed due to incompatible SSH host key algorithms. SFTP connectors support the following host key algorithms:

ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
rsa-sha2-512
rsa-sha2-256

Does your remote server supports at least one of the algorithms from the list above?

Documentation: https://docs.aws.amazon.com/transfer/latest/userguide/creating-connectors.html

AWS
EXPERT
AWSTransferFamily-SY
answered 7 months ago
  • jpetro
    7 months ago

    Thanks for the reply. Yeah, that was one of the first things I went and verified. Connecting to the server manually with the -G flag displays the server's configuration. KEX and host algorithms:

    hostkeyalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,rsa-sha2-256,rsa-sha2-512
kexalgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
0

Hey @jpetro, can you send me an email to yoonmsuh@amazon.com so we can look into this further? Thank you!

AWS
EXPERT
AWSTransferFamily-SY
answered 7 months ago
  • Christian
    7 months ago

    I am having a similar issue connecting to partners sftp service. Was there any further thoughts or resolution on this before I abandon connectors and roll my own solution?

0

Exactly the same problem here. The configuration is not using the private key but otherwise similar results. Algorithms have been verified.

Teemu Niiranen
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content