Secure CRT 7.3.7 - Session disconnects

[themavrik75]

Hello,

I'm using SecureCRT - Version 7.3.7 (x64 build 1034) and my SSH session keeps disconnecting with the following error message:

The client has disconnected from the server. Reason:
Message Authentication Code did not verify (packet #1456). Data integrity has been compromised.

I have enabled Trace Options and I have captured the following:

~~~~~~~~~~~~~~~~~~~

[LOCAL] : SSH2Core version 7.3.0.1034
[LOCAL] : Connecting to 10.19.112.20:22 ...
SecureCRT - Version 7.3.7 (x64 build 1034)
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_7.6'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@10.19.112.20
[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@10.19.112.20
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@10.19.112.20
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@10.19.112.20
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[LOCAL] : Selected Send Mac = hmac-sha2-256
[LOCAL] : Available Remote Recv Macs = umac-64-etm@openssh.com,umac-128-etm...28@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[LOCAL] : Selected Recv Mac = hmac-sha2-256
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
[LOCAL] : RECV: Remote Hostkey (SHA-1 hash): 02:74:30:ac:bb:4b:c1:8c:41:8f:1f:7c:0c:04:6f:b1:8e:06:47:fd
[LOCAL] : RECV: Remote Hostkey (MD5 hash): 94:c1:53:85:2c:ac:44:bc:6d:3f:47:31:98:1f:c0:e9
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [password]
[LOCAL] : SENT : USERAUTH_REQUEST [password]

Broadcom Corporation Embedded BFC SSH Server (c) 2000-2018

WARNING: Access allowed by authorized users only.

[LOCAL] : RECV : AUTH_SUCCESS
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 68, cols: 203)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded

[LOCAL] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Discarding invalid state change from STATE_CLOSED to STATE_ALMOST_CLOSED.
[LOCAL] : Connected for 43 seconds, 4402 bytes sent, 73933 bytes received

[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : The client has disconnected from the server. Reason: Message Authentication Code did not verify (packet #542). Data integrity has been compromised.

The client has disconnected from the server. Reason:
Message Authentication Code did not verify (packet #542). Data integrity has been compromised.

~~~~~~~~~~~~~~~~~~~

Can you please review the logs and help me figuring out the root cause?

Thanks,
Vikram

[berdmann]

Hi themavrik75,

This behavior generally indicates that the server does not play nicely with the MAC that was selected (hmac-sha2-256).

What MAC's do you have enabled for this connection? Options -> Session Options -> SSH2 -> Advanced

What are your results if you disable the 'hmac-sha2-256' MAC and re-test?

[themavrik75]

Sorry for the delay in replying...

I disabled 256 and it looks like it is not disconnecting anymore...I will keep an eye on it.

Thanks again! Much appreciated.

[berdmann]

Hi themavrik75,

I am glad to hear that disabling the MAC seems to have resolved the issue!

Please let us know if you experience any additional problems moving forward!