Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 07-07-2020, 05:23 PM
Arthur302 Arthur302 is offline
Registered User
 
Join Date: Jul 2020
Posts: 3
SSH fails with "Connection closed"

I have a system running SSH that does not like SecureCRT 8.7 or PuTTY 0.74 but works with OpenSSH_for_Windows_7.7p1

When I try to connect with SecureCRT 8.7 this is the trace output I record:

Code:
[PRINTER] : Printer initialization succeeded
[LOCAL] : SSH2Core version 8.7.0.2214 
[LOCAL] : Connecting to 10.10.1.1:22 ... 
SecureCRT - Version 8.7.2 (x64 build 2214)
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT 
[LOCAL] : Using protocol SSH2 
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-0.0.1' 
[LOCAL] : CAP  : Remote can re-key 
[LOCAL] : CAP  : Remote sends language in password change requests 
[LOCAL] : CAP  : Remote sends algorithm name in PK_OK packets 
[LOCAL] : CAP  : Remote sends algorithm name in public key packets 
[LOCAL] : CAP  : Remote sends algorithm name in signatures 
[LOCAL] : CAP  : Remote sends error text in open failure packets 
[LOCAL] : CAP  : Remote sends name in service accept packets 
[LOCAL] : CAP  : Remote includes port number in x11 open packets 
[LOCAL] : CAP  : Remote uses 160 bit keys for SHA1 MAC 
[LOCAL] : CAP  : Remote supports new diffie-hellman group exchange messages 
[LOCAL] : CAP  : Remote correctly handles unknown SFTP extensions 
[LOCAL] : CAP  : Remote correctly sends UTF8 where UTF8 is specified 
[LOCAL] : CAP  : Remote correctly encodes OID for gssapi 
[LOCAL] : CAP  : Remote correctly uses connected addresses in forwarded-tcpip requests 
[LOCAL] : CAP  : Remote is IETF-DRAFT compliant 
[LOCAL] : CAP  : Remote can do SFTP version 4 
[LOCAL] : CAP  : Remote uses SHA1 hash in RSA signatures for x.509v3 
[LOCAL] : CAP  : Remote x.509v3 uses ASN.1 encoding for DSA signatures 
[LOCAL] : CAP  : Remote correctly handles zlib@openssh.com 
[LOCAL] : SEND : KEXINIT 
[LOCAL] : RECV : Read kexinit 
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group1-sha1 
[LOCAL] : Selected Kex Method = diffie-hellman-group1-sha1 
[LOCAL] : Available Remote Host Key Algos = ssh-dss 
[LOCAL] : Selected Host Key Algo = ssh-dss 
[LOCAL] : Available Remote Send Ciphers = 3des-cbc,blowfish-cbc 
[LOCAL] : Selected Send Cipher = blowfish-cbc 
[LOCAL] : Available Remote Recv Ciphers = 3des-cbc,blowfish-cbc 
[LOCAL] : Selected Recv Cipher = blowfish-cbc 
[LOCAL] : Available Remote Send Macs = hmac-sha1 
[LOCAL] : Selected Send Mac = hmac-sha1 
[LOCAL] : Available Remote Recv Macs = hmac-sha1 
[LOCAL] : Selected Recv Mac = hmac-sha1 
[LOCAL] : Available Remote Compressors = none 
[LOCAL] : Selected Compressor = none 
[LOCAL] : Available Remote Decompressors = none 
[LOCAL] : Selected Decompressor = none 
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE 
[LOCAL] : SEND : KEXDH_INIT 
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED 
[LOCAL] : Connected for 0 seconds, 1490 bytes sent, 190 bytes received
 
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : Connection closed. 

Connection closed.
This is the verbose output from OpenSSH_for_Windows_7.7p1 which succeeds:

Code:
PS C:\Users\owner> ssh -v 10.10.1.1
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\owner/.ssh/config
debug1: C:\\Users\\owner/.ssh/config line 1: Applying options for *
debug1: C:\\Users\\owner/.ssh/config line 5: Applying options for 10.80.1.*
debug1: Connecting to 10.10.1.1 [10.10.1.1] port 22.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version 0.0.1
debug1: no match: 0.0.1
debug1: Authenticating to 10.10.1.1:22 as 'mike'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: ssh-dss SHA256:Bl5pdPHUJawlAX0Or2lATIOoKorQpeQPQXKYac7b5RU
debug1: Host '10.10.1.1' is known and matches the DSA host key.
debug1: Found key in C:\\Users\\owner/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
mike@10.10.1.1's password:
debug1: Authentication succeeded (password).
Authenticated to 10.10.1.1 ([10.10.1.1]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing


switch#
The .ssh\config for OpenSSH looks like this:

Code:
Host *
    PubkeyAuthentication no
    Ciphers 3des-cbc
    HostKeyAlgorithms ssh-dss
    KexAlgorithms diffie-hellman-group1-sha1
I seem to have exhausted possible configuration options in SecureCRT and would appreciate any further pointers.
Reply With Quote
  #2  
Old 07-08-2020, 08:33 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,397
Hi Arthur302,

Wow, this must be some old device based on the options it negotiates for cipher, MAC, etc.

The only difference I see in the traces is this:

SecureCRT:
[LOCAL] : Available Remote Send Ciphers = 3des-cbc,blowfish-cbc
[LOCAL] : Selected Send Cipher = blowfish-cbc
[LOCAL] : Available Remote Recv Ciphers = 3des-cbc,blowfish-cbc
[LOCAL] : Selected Recv Cipher = blowfish-cbc

OpenSSH_for_Windows:
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none


Have you tried with only 3DES enabled in the Connection / SSH2 / Advanced category of Session Options?


When you compare the traces, you can see SecureCRT sends the same KEXDH_INIT that OpenSSH_for_Windows client did:

SecureCRT:
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED

OpenSSH_for_Windows:
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY


SecureCRT just never gets a reply.

Is the remote device capable of any debug logging? What does it show the issue is?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 07-08-2020, 09:43 AM
Arthur302 Arthur302 is offline
Registered User
 
Join Date: Jul 2020
Posts: 3
Smile

Quote:
Have you tried with only 3DES enabled in the Connection / SSH2 / Advanced category of Session Options?
That, and disabling all key exchanges that were not DH, did the trick. Thank you Brenda!

This particular device is a Telco Systems T-Marc 280. The firmware is about a year old. The vendor acknowledges that hardware limitations prevent them from implementing better SSH options.

Code:
BATM Advanced Communications

Switch model              : T-Marc-280
Product Category : AccessEthernet(TM) 

Switch running SW version : 11.0.R3 created Jun 19 2019 - 17:24:26

Switch Default SW file    : BiNOS-TMarc_280-11.0.R3.Z
Switch Default SW version : 11.0.R3
Reply With Quote
  #4  
Old 07-08-2020, 10:18 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,397
Hi Arthur302,

Thanks for the update. I am glad to hear you got it working.

Just to let you know, we will be dropping support of 3DES in v8.8.

Changes in SecureCRT 8.8 (Pre-Beta) -- May 1, 2020
--------------------------------------------------
Changes:
  • SSH2: Removed support for several weak ciphers (Blowfish, 3DES, RC4) and MACs (SHA1-96, MD5, and MD5-96).
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 07-08-2020, 10:20 AM
Arthur302 Arthur302 is offline
Registered User
 
Join Date: Jul 2020
Posts: 3
Quote:
Originally Posted by bgagnon View Post
Just to let you know, we will be dropping support of 3DES in v8.8.
Hmmm... we're evaluating and this was the feature that pushes me to buy. It will definitely mean we're locked into 8.7 for the foreseeable future and dictate the maintenance level we purchase. Thanks for the information. I appreciate the desire to make the product more secure and deprecate insecure options. Unfortunately we don't have a choice with this vendor at this time and have too many of these devices in far flung locations to easily replace with something else.
Reply With Quote
  #6  
Old 07-08-2020, 11:09 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,397
Hi Arthur302,

I have created a feature request on your behalf in our product enhancement database to keep (bring back) support of 3DES cipher. Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct email notification, send an email to support@vandyke.com and include Feature Request - Forum Thread #14230 in the subject line or use this form from the support page of our website.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #7  
Old 07-27-2020, 11:47 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,397
Hi Arthur302,

I'm happy to tell you the SecureCRT product director decided to keep 3DES cipher in v8.8, but it will be off by default.

If you would like us to make the pre-release build available please send an email to support@vandyke.com and reference Forum Thread #14230.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730

Last edited by jdev; 08-06-2020 at 02:02 PM.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 09:37 AM.