Today I spun up a quick development instance using Ubuntu 15 and found that Aptana refused to connect via SFTP. After a few rounds of Google > Fix > New Error > GOTO 10 I’ve found that there are two problems.
- Aptana does not support anything more advanced than diffie-hellman-group1-sha1 for key exchange.
- OpenSSH has removed AES*-CBC ciphers from its default ciphers in favor of newer AES*-CTR ciphers.
- Aptana has explicitly disabled CTR support in their SSH library.
I think Point 1 may simply be a symptom of the fact that Aptana has not released an update in forever and the software is showing signs of its age.
Point 2 seems a little overzealous on OpenSSH’s part, but I’m old and hate change and am probably wrong anyway. However, I accept that OpenSSH know what they are doing.
I have a definite problem with Point 3. Only an idiot would explicitly disable new ciphers, and I have a feeling that doing so was due to the same reactionary purse-clutching about the way that CTR ciphers work that happened when they were initially proposed, and was subsequently disproven. This debate was closed long ago, and CTR ciphers are currently the only way to allow multithreaded encyrption, which OpenSSH desperately needs to begin supporting.
There is a Github Issue regarding the broken ciphers, but I wouldn’t hold my breath.
Just to get this out of the way up front: There is no client-side fix.
The following changes need to be made in your sshd config on the server:
# default+diffie-hellman-group1-sha1 for aptana KexAlgorithms email@example.com,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 # default+aes256-cbc for aptana Ciphers aes128-ctr,aes192-ctr,aes256-ctr,firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-cbc
As noted, these are simply the defaults pulled from the manpage for sshd_config with an extra option to support Aptana. Pop these lines in, reload, and you should be good to go.