VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   Secure Shell (https://forums.vandyke.com/forumdisplay.php?f=15)
-   -   SSH2 Key Exchange Failure (https://forums.vandyke.com/showthread.php?t=11496)

evoxfan 05-08-2014 06:37 AM

SSH2 Key Exchange Failure
 
I'm getting this key exchange failure when attempting an ssh2 to a far end device. It looks to be the exact problem outlined in this thread, but the solution provided doesn't work for me. I'm running version 7.1.3 x64 on Windows 7 Pro x64.

Here's the info on the far end device. I think it is running Solaris, but I'm not sure.

Device model: Brix 3100
Device serial number: XXXXXXXXX
Monolith image: b3100-x86_64-monolith-11Dec2013.11.5845.b3100
Monolith build date: Wed Dec 11 11:39:19 EST 2013
Monolith revision: 8.2.1
FPGA version: 0x8d
Board version: 0x2
Test module serial number: 716723

Here is my trace options capture:

[LOCAL] : SSH2Core version 7.1.0.378
[LOCAL] : Connecting to XX.XXX.XX.XXX:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_4.2'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group1-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED
[LOCAL] : Connected for 0 seconds, 611 bytes sent, 724 bytes received
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : Connection closed.
SecureCRT - Version 7.1.3 (x64 build 378)

Connection closed.

rtb 05-08-2014 07:44 AM

Hi evoxfan,

This doesn't really look like the same issue. Are you able to connect to the device using any other SSH client?

evoxfan 05-08-2014 07:56 AM

Yes I can connect using PuTTy.

rtb 05-08-2014 08:06 AM

Hi evoxfan,

Here you can see what host key algorithm SecureCRT is choosing:
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
If you log your PuTTy connection, what host key algorithm is being chosen?

evoxfan 05-08-2014 08:15 AM

Here's the key exchanges lines from the putty log.

Event Log: Using SSH protocol version 2
Incoming packet type 20 / 0x14 (SSH2_MSG_KEXINIT)

Event Log: Using SSH protocol version 2
Incoming packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
00000000 00 00 08 00 ....
Incoming packet type 31 / 0x1f (SSH2_MSG_KEX_DH_GEX_GROUP)

00000000 00 00 08 00 ....
Incoming packet type 31 / 0x1f (SSH2_MSG_KEX_DH_GEX_GROUP)

Incoming packet type 33 / 0x21 (SSH2_MSG_KEX_DH_GEX_REPLY)

Event Log: Host key fingerprint is:
Event Log: ssh-rsa 2048 50:ea:90:20:35:e2:c5:19:5a:bf:31:3e:10:db:1d:59
Outgoing packet type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Initialised AES-256 SDCTR client->server encryption
Event Log: Initialised HMAC-SHA1 client->server MAC algorithm
Incoming packet type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Initialised AES-256 SDCTR server->client encryption
Event Log: Initialised HMAC-SHA1 server->client MAC algorithm
Outgoing packet type 5 / 0x05 (SSH2_MSG_SERVICE_REQUEST)

Incoming packet type 6 / 0x06 (SSH2_MSG_SERVICE_ACCEPT)

Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)

Event Log: Sent password
Incoming packet type 52 / 0x34 (SSH2_MSG_USERAUTH_SUCCESS)
Event Log: Access granted
Outgoing packet type 90 / 0x5a (SSH2_MSG_CHANNEL_OPEN)

Incoming packet type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)

Incoming packet type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)

evoxfan 05-08-2014 08:55 AM

1 Attachment(s)
Here's a screen shot of the putty key exchange settings.

rtb 05-08-2014 01:21 PM

Hi evoxfan,

In the putty log, you don't see where it selects ssh-rsa, but you can see the following indicating that ssh-rsa was selected:
Event Log: ssh-rsa 2048 50:ea:90:20:35:e2:c5:19:5a:bf:31:3e:10:db:1d:59

We have seen issues with some SSH servers which advertise that they support ssh-dss, but don't really support it. This could be a configuration issue or a bug in the server.

SecureCRT prefers ssh-dss, and if a server advertises that it supports it, SecureCRT will select it.

It is possible to configure SecureCRT to prefer ssh-rsa, but in your version a registry change is required.
WARNING:
If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Here is the information to edit the registry so SecureCRT will prefer ssh-rsa:
Path: HKEY_CURRENT_USER\Software\Policies\VanDyke
Key (REG_SZ) Name: "Host Key Algorithms"

Value: comma-separated, ordered list (no spaces) of algorithms our clients will support.
For example:
ssh-rsa, ssh-dss, x509v3-sign-rsa, x509v3-sign-dss
Does this help to resolve the issue?

evoxfan 05-08-2014 01:26 PM

Quote:

Originally Posted by rtb (Post 41437)
Path: HKEY_CURRENT_USER\Software\Policies\VanDyke
Key (REG_SZ) Name: "Host Key Algorithms"

Value: comma-separated, ordered list (no spaces) of algorithms our clients will support.
For example:
ssh-rsa, ssh-dss, x509v3-sign-rsa, x509v3-sign-dss
Does this help to resolve the issue?

I don't see a Vandyke folder at this location in my registry. The only folders I have are "Microsoft" and "Power". Should I create it?

evoxfan 05-08-2014 02:01 PM

I created this key and it now works. Thanks for the work around solution! :)

rtb 05-08-2014 02:03 PM

Hi evoxfan,

I was just about to reply that you need to create the VanDyke folder, and you beat me to the post.:)

I am glad to hear that you are now able to connect to the server using SecureCRT.

dev_singh2487 07-11-2019 08:13 PM

Unable to use ssh
 
Unable to use SSH to my cisco routers .. Putty works fine


version 6.6.3

bgagnon 07-12-2019 07:27 AM

Hi dev_singh2487,

Sorry, but "unable to use SSH" does not provide enough info.

Is it a connection error?

Or an authentication error?

Or a key exchange error as the title of the forum thread suggest?

What error are you getting?

dev_singh2487 07-12-2019 07:50 AM

Trace logs
 
This is what I get

SecureCRT - Version 6.6.3 (x64 build 412)
[LOCAL] : SSH2Core version 6.6.0.412
[LOCAL] : Connecting to 10.200.190.13:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-Cisco-1.25'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@10.200.190.13
[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@10.200.190.13
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@10.200.190.13
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@10.200.190.13
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-sha1
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-sha1
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : The operation completed successfully.
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED
[LOCAL] : Connected for 0 seconds, 635 bytes sent, 227 bytes received

bgagnon 07-12-2019 08:58 AM

Hi dev_singh2487,

Note that SecureCRT *receives* the TCP/IP close from the remote:

[LOCAL] : RECV: TCP/IP close

Version 6.6 is at least 10 years old. What are your results with the current version, 8.5.4?

dev_singh2487 07-12-2019 08:59 AM

SSH issue
 
Works well with newer version .Will get an upgrade .Thanks


All times are GMT -6. The time now is 04:27 PM.