Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > SecureCRT on the Mac

Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 01-02-2014, 04:33 PM
g4ege g4ege is offline
Registered User
 
Join Date: Jan 2014
Posts: 1
SSH Keys

I am recently getting this message for devices I used to be able to connect to via an SSH session SecureCRT.


The client has disconnected from the server. Reason:
Message Authentication Code did not verify (packet #3). Data integrity has been compromised.


Press Ctrl+C to cancel or Enter to reconnect immediately.
Reconnecting in 4 seconds...

I can connect to those devices by going to a Mac OS terminal session and initiating an SSH session from there. I can also connect to some Linux servers via SSH through SecureCRT still.

Any ideas on how to troubleshoot this?
Reply With Quote
  #2  
Old 01-02-2014, 05:35 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,015
Hello g4ege,

What version of SecureCRT are you using?

Quote:
I am recently getting this message for devices I used to be able to connect to via an SSH session SecureCRT.
What do you mean by the above? (Specifically, my focus is on the used to be able phrase.)

What, if anything, changed on the remote or client?

A Secure Shell MAC is simply a hash of the data (packet payload) that is being transferred. The hash value is associated inseparably with the packet itself. If the server is sending a packet to the client, the server hashes the packet's payload and associates the resulting hash with the packet when it is sent to the client. When the client (SecureCRT) receives the packet, it hashes the packet's payload as well, and compares its own hash result with the hash result provided by the server. If the hash results don't match, the SSH2 protocol mandates the transport be closed (ie: the client disconnects from the server).

If you get different results with other clients, then it could be that a different MAC algorithm is negotiated in those connections.

It's often useful to see trace options output from SecureCRT, which may help determine the differences.

To enable trace options output:
  • First, open SecureCRT's main File pull-down menu and select Trace Options. If you open the File pull down menu again you should see a checkmark next to Trace Options, indicating that troubleshooting output is now enabled.
  • Next, connect to the remote machine. With trace options enabled, you will notice debugging information displayed in the terminal window that isn't normally there by default when SecureCRT is attempting to establish a connection, and at certain times throughout the lifetime of the connection.
  • Once the problem occurs, please right-click inside the terminal window and choose Select All, then right-click again and choose Copy to transfer the information to the clipboard.
  • Finally, open a text editor, paste the information from the clipboard into the editor program, and save it as a text file.
Since trace options can contain sensitive information, please send it as an attachment via email to support@vandyke.com. Please reference "Attn Brenda - Forum Thread #11333" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 08-19-2014, 09:10 AM
dsimonse dsimonse is offline
Registered User
 
Join Date: Aug 2014
Posts: 2
Same problem for Windows

Hi,

I get this message in version 7.2.5:
"The client has disconnected from the server. Reason:
Message Authentication Code did not verify (packet #3). Data integrity has been compromised." when I connect to a Lantronix SLC version 6.1.0.0.

When using version SecureCRT 7.1.0 to the same Lantronix SLC it works.

When connection version 7.2.5 to a Lantronix SLC with version 5.4 it works!

Reply With Quote
  #4  
Old 08-19-2014, 10:05 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi dsimonse,

Thanks for the post.

Are the different versions of SecureCRT installed on the same machine and all using the same network path to establish the connection?

Do you see the same issue using SecureCRT 7.3 beta 1?

If so, please send trace options output to support@vandyke.com with a subject of Attn: Support - MAC connection issue.

To enable trace options output, click on the File pull down menu and select Trace Options. If you click the File pull down menu again you should see a check mark next to Trace Options, indicating that trace options output is now enabled.

With Trace Options enabled, you will notice debugging information displayed in the terminal window that isn't normally there by default when SecureCRT is attempting to establish a connection, and at certain times throughout the lifetime of the connection.

Once the problem occurs, you can use the Select All and Copy options from within the Edit menu to transfer the information to the Windows clipboard, and then paste this information into a text editor and save the data as a file.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #5  
Old 08-20-2014, 05:56 AM
dsimonse dsimonse is offline
Registered User
 
Join Date: Aug 2014
Posts: 2
Hi Todd,

No, not installed on the same machine - 7.2.5 on my machine - 7.1 on a Remote Desktop or a colleagues machine.

I think I close to the solution - the new SecureCRT has SHA2-256 and SHA2-512 enabled and they is located at the top of the list. If I disable SHA2-512 it works and if I re-enable it it still works since it now has moved to the end of the list.

Regards
Dennis

Quote:
Originally Posted by rtb View Post
Hi dsimonse,

Thanks for the post.

Are the different versions of SecureCRT installed on the same machine and all using the same network path to establish the connection?

Do you see the same issue using SecureCRT 7.3 beta 1?

If so, please send trace options output to support@vandyke.com with a subject of Attn: Support - MAC connection issue.

To enable trace options output, click on the File pull down menu and select Trace Options. If you click the File pull down menu again you should see a check mark next to Trace Options, indicating that trace options output is now enabled.

With Trace Options enabled, you will notice debugging information displayed in the terminal window that isn't normally there by default when SecureCRT is attempting to establish a connection, and at certain times throughout the lifetime of the connection.

Once the problem occurs, you can use the Select All and Copy options from within the Edit menu to transfer the information to the Windows clipboard, and then paste this information into a text editor and save the data as a file.
Reply With Quote
  #6  
Old 08-20-2014, 09:26 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Thanks for the update Dennis.

We would still like to have you send the trace options output for failing and a successful connections so we can investigate what is happening.

If you would like to investigate this further, please send the requested data.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #7  
Old 03-17-2015, 09:51 AM
isack2230 isack2230 is offline
Registered User
 
Join Date: Mar 2015
Posts: 1
Solution?

Just tried to connect to a Lantronix via SSH2 over 3001 and get that same error message. If I telnet to 2001 it connects just fine.

[LOCAL] : SSH2Core version 7.3.0.657
[LOCAL] : Connecting to 10.67.160.73:3001 ...
SecureCRT - Version 7.3.0 (x64 build 657)
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-1.99-OpenSSH_5.9'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@10.67.160.73
[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@10.67.160.73
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@10.67.160.73
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@10.67.160.73
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha2-512
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
[LOCAL] : RECV: Remote Hostkey (SHA-1 hash): 11:55:cd:95:fe:63:3a:d5:3f:ff:e5:24:a7:72:fc:c4:ae:b4:58:d5
[LOCAL] : RECV: Remote Hostkey (MD5 hash): 19:24:c1:4d:db:18:b0:1c:72:de:68:3f:a7:01:22:c7
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : SEND: Disconnect packet: Message Authentication Code did not verify (packet #3). Data integrity has been compromised.
[LOCAL] : Changing state from STATE_CONNECTION to STATE_SEND_DISCONNECT
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED
[LOCAL] : Connected for 1 seconds, 1097 bytes sent, 1845 bytes received
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : The client has disconnected from the server. Reason: Message Authentication Code did not verify (packet #3). Data integrity has been compromised.

The client has disconnected from the server. Reason:
Message Authentication Code did not verify (packet #3). Data integrity has been compromised.
Reply With Quote
  #8  
Old 03-17-2015, 10:24 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi isack2230,

Thanks for the post. There is a known issue in OpenSSH 5.9 with the SHA2-512 MAC.

If you change to SHA2-256, do you get better results?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730

Last edited by rtb; 03-17-2015 at 10:56 AM.
Reply With Quote
Reply

Tags
ssh key data integrity


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 01:55 PM.