SocketTools includes SSH components for interactive logins and SFTP support, with integration across our native DLLs, .NET classes, and ActiveX controls. When attempting to connect to an SSH server using our SDKs, there are several common issues that can prevent a successful connection. This article will guide you through the most likely causes and provide steps to resolve them.
Unsupported Ciphers
Our API no longer supports insecure and deprecated ciphers used in older OpenSSH versions (earlier than 5.5, released around 2010). If your server is running a version of OpenSSH prior to 5.5, it may attempt to negotiate outdated ciphers such as DES or RC4, which we no longer support. If possible, update the server to OpenSSH version 5.5 or later. At this time, the current version of OpenSSH is 9.8 and may be available by updating the Linux system. Upgrading the server’s version of OpenSSH will allow it to negotiate more modern, secure cipher suites, such as AES128-CTR, AES256-CTR, or AES256-GCM, which are supported by our libraries and components.
If your server is using OpenSSH 9.0 or later, and you are still using an older version of SocketTools, you may encounter connection failures due to unsupported cipher suites or key exchange algorithms. For instance, the current versions of OpenSSH use newer algorithms such as curve25519-sha256 for key exchange and AES256-GCM for encryption. The latest release of SocketTools includes support for elliptic curve cryptography (ECC) and new ciphers like AES256-GCM. Older versions of our components do not support these algorithms.
Public Key Authentication
Some servers are configured to disallow password authentication and only permit connections using public key authentication. In these cases, attempting to connect using password-based login will result in failure. Use public key authentication by configuring the SSH client to use a valid key pair. If you are using an older version of SocketTools, upgrading to the current version includes support for the OpenSSH key formats which may be required by modern servers. Also make sure your public key is properly added to the server’s authorized_keys file.
Firewall Configuration
One of the most common reasons for SSH connection failures is firewall configuration. Firewalls on the server may block incoming connections on port 22 (or another configured SSH port). Depending on the Linux distribution, firewall rules could be managed by different services like iptables, firewalld, or other security tools. To troubleshoot this:
- Verify the SSH port is open by running a port scan or using a tool like
telnetto see if the connection is allowed. - Check the server's firewall logs for dropped connection attempts.
- If necessary, update firewall rules to permit traffic on the SSH port.
For example, with firewalld, you might need to run:
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload
For iptables, you could allow port 22 like this:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
You will typically need to have superuser (administrative) privileges on the server to make configuration changes to the firewall. If you do not have access to the server, consult your system administrator or service provider and confirm the firewall is configured to permit inbound connections to the SSH server.
Non-Standard SSH Ports
By default, SSH servers listen on port 22, but some servers may be configured to use a different port for security reasons. If you attempt to connect to the wrong port, the connection will fail. Confirm the correct SSH port by checking the server's configuration (/etc/ssh/sshd_config for OpenSSH servers). Specify the correct port when making the connection using our API by setting the appropriate port number in your code.
If you are attempting to transfer files using SFTP using a non-standard port, you must explicitly specify an option in your code to indicate you are using SSH. If you are using the Library Edition, the option is FTP_OPTION_SECURE_SHELL which must be included as part of your call to the FtpConnect function.
If you are using the SocketTools.FtpClient .NET class, the FtpOptions.optionSecureShell option should be specified with the connection by setting the Options property or when calling the Connect method. If you are using the ActiveX control, the ftpOptionSecureShell option should be specified by setting the Options property or as an argument to the Connect method.
These options allow our components to understand that you want to establish a secure SFTP connection, rather than a standard FTP or secure FTPS connection.
Domain Name or IP Address Issues
Sometimes, connection failures occur because the hostname or IP address is incorrect or cannot be resolved by the DNS. Ensure that the hostname or IP address you're connecting to is correct. Verify that the server is reachable from the client machine by using ping or nslookup to confirm network connectivity.
Network Connectivity Issues
General network problems, such as packet loss or poor network conditions, can also cause SSH connection failures. Test the connection to the server using tools like ping or traceroute to identify any network-related issues. If you're using a VPN or proxy, ensure that it allows SSH traffic and that no traffic shaping is causing delays or disconnections.
By addressing these common issues, you should be able to resolve most connection failures encountered when using our API to connect to SSH servers. If problems persist, consider enabling logging in our components and reviewing the detailed error messages for further troubleshooting.
See Also
Supported SSH Encryption Algorithms
Creating SSH Authentication Keys
SFTP Public Key Authentication