Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-2016, 06:41 AM
redleg1sg redleg1sg is offline
Registered User
 
Join Date: Jul 2016
Posts: 7
The server's host key failed to verify.

SSH key was regenerated on a Cisco 4506E using the command:

crypto key zero rsa

crypto key gen rsa gen mod 2048

Multiple SecureCRT 8 users now get the output below but are able to connect without issue using PuTTY.


[LOCAL] : SSH2Core version 8.0.0.1118
[LOCAL] : FIPS mode enabled
[LOCAL] : Connecting to 10.72.154.1:22 ...
SecureCRT - Version 8.0.2 (x64 build 1118)
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.99-Cisco-1.25'
[LOCAL] : RECV : Remote Identifier (altered) = 'SSH-2.0-Cisco-1.25'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group1-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Send Cipher = aes256-cbc
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
[LOCAL] : Selected Recv Cipher = aes256-cbc
[LOCAL] : Available Remote Send Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : SEND: Disconnect packet: The server's host key failed to verify. This could mean that the server you are connected to is impersonating the server it claims to be. A connection could not be established.
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_SEND_DISCONNECT
[LOCAL] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED
[LOCAL] : Connected for 0 seconds, 658 bytes sent, 1020 bytes received

[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : The client has disconnected from the server. Reason: The server's host key failed to verify. This could mean that the server you are connected to is impersonating the server it claims to be. A connection could not be established.

The client has disconnected from the server. Reason:
The server's host key failed to verify. This could mean that the server you are connected to is impersonating the server it claims to be. A connection could not be established.




I have gone as far as removing ALL SSH keys from my laptop yet the error remains only in SecureCRT. PuTTY, Attachmate Reflections and mRemoteNG connect flawlessly after accepting the new key.
Reply With Quote
  #2  
Old 09-16-2016, 07:55 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,357
Hello redleg1sg,

I am sorry to hear about the issue that has occurred.

You can see from this line:

Quote:
[LOCAL] : RECV : Remote Identifier (altered) = 'SSH-2.0-Cisco-1.25'
That this new feature from version 8.0.x has come into play:

Changes in SecureCRT 8.0 (Beta 1) -- January 28, 2016
-----------------------------------------------------

Changes:

  • SSH2: SecureCRT can now connect to Cisco devices that send the incorrect identity string "SSH-2.99-Cisco-1.25".
It seems there might be an additional issue.

The additional troubleshooting info we will need to investigate the issue can include sensitive data, so would you contact us via email (support@vandyke.com). Please reference "Attn Brenda - Forum Thread #12478" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 09-17-2018, 12:09 PM
joncinla joncinla is offline
Registered User
 
Join Date: Aug 2013
Posts: 1
Unhappy problems with the server's host client failed to verify

I'm trying to log into a Lantronix terminal server, --not a cisco device, and sometimes I get this, --other times it works. Works with Putty every time.

I don't know if the fix is in SecureCRT or the terminal server.

I'm running SecureCRT version 8.3.2 build 1584.

JONC

The client has disconnected from the server. Reason:
The server's host key failed to verify. This could mean that the server you are connected to is impersonating the server it claims to be. A connection could not be established.
Reply With Quote
  #4  
Old 09-17-2018, 01:29 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 654
Hi joncinla,

I'm sorry you're having trouble. To get a better idea of what may be happening I would like to review a log file of a connection attempt.

Please do not attach your log file in the forums. Please attach it in an email to Support@VanDyke.com with "Attn Eric Forum Post 12478" in the subject line.

Can you take these steps and send me the resulting log file for analysis?

Video Link: https://youtu.be/kzEUhvxKvyY
- Launch SecureCRT and open SecureCRT's main "File" menu and select the "Trace Options" menu item.

- Open the "File" menu again and choose "Log Session..."
--> Specify a path to your Desktop folder and a name of the log file, such as SCRT_Log.txt.

- Now attempt your connection again.

- When the connection fails, open SecureCRT's "File" menu and look at the "Log Session" menu item. If it has a check-mark next to it, click on it to turn off logging.

- Go to your Desktop folder and locate the SCRT_Log.txt file. Please send the SCRT_Log.txt file to me as an attachment to your reply. Please don't paste the contents into the body of your message -- please attach it!
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 09-18-2018, 11:27 AM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 654
Hi joncinla,

After some additional research I believe I have some additional information that may help.

A number of Lantronix devices employ an SSH server implementation based on OpenSSH version 6.7 which advertises some key exchange algorithms ( that happen to be implemented incorrectly in that version of OpenSSH. Because SecureCRT prefers these newer/stronger algorithms, this preference can lead to connection problems since a number of these algorithms are not implemented correctly in the SSH server on these Lantronix devices.

To configure SecureCRT to be able to connect successfully to Lantronix devices running a version of SSH based on OpenSSH version 6.7, open your saved session's options, and in the Connection > SSH2 category, make these two changes:
  1. Move the diffie-hellman-group-exchange-sha256 method to the top of the list.
  2. In the Advanced sub-category, disable the SHA2-512 MAC, or move the SHA2-256 MAC (or any other MAC but SHA2-512) to the top of the list.

If you make these configuration changes, are you then able to successfully connect to your Lantronix device?
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 02:53 PM.