Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 04-06-2018, 03:00 PM
RickVR RickVR is offline
Registered User
 
Join Date: Apr 2018
Posts: 1
Unhappy Unable to connect via PKI on Redhat 7

We have upgraded a couple of our servers to Redhat 7 and now SecureCRT cannot connect using PKI.

Redhat 7 version:
Linux storage4 3.10.0-693.17.1.el7.x86_64 #1 SMP Sun Jan 14 10:36:03 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

Redhat 6 version (for info):
Linux storage3 2.6.32-696.20.1.el6.x86_64 #1 SMP Fri Jan 12 15:07:59 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

SecureCRT version:
Version 8.3.2 (x64 build 1584)-Official Release-February 8, 2018

The latest version of Putty does connect but older versions do not.
Which leads me to believe there have been some changes to the MACs used in the new Redhat.

Here are the Macs used in Redhat 7: hmac-sha2-512-etm@openssh.com,hmac-s...28@openssh.com

I have included two trace logs below. (I cannot attach files for some reason). One trace log is from Redhat 7 that failed to connect and the other is from Redhat 6, that does connect, as a baseline.

The error that pops up says: Public-key authentication with the server for user <user> failed. Please verify username and public/private key pair.

I can connect using a password but I would rather use PKI.
My UNIX home directory is NAS mounted so it is identical for all of our Linux hosts. Which means that my $HOME/.ssh files/dirs are correct.

I am a registered using of SecureCRT/SecureFX.

Thanks in advance for any help.
Rick


Redhat 7 Trace
[PRINTER] : Printer initialization succeeded
[LOCAL] : SSH2Core version 8.3.0.1584
[LOCAL] : Connecting to storage4:22 ...
[LOCAL] : Resolved hostname to <IP Address>:22
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_7.4'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host/storage4 <snip>
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host/storage4 <snip>
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = ecdh-sha2-nistp521
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
[LOCAL] : Selected Host Key Algo = ssh-ed25519
[LOCAL] : Available Remote Send Ciphers = aes256-ctr,aes192-ctr,aes128-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes256-ctr,aes192-ctr,aes128-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-sha2-512-etm@openssh.com,hmac-s...28@openssh.com
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = hmac-sha2-512-etm@openssh.com,hmac-s...28@openssh.com
[LOCAL] : Selected Recv Mac = hmac-sha2-512
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : SSH_MSG_KEX_ECDH_INIT
SecureCRT - Version 8.3.2 (x64 build 1584)
[LOCAL] : RECV : SSH_MSG_KEX_ECDH_REPLY
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
[LOCAL] : RECV: Remote Hostkey (SHA-2 hash hex): 2e:2a:dc:11:c5:3f:38:bf:72:7e:0e:a4:32:fd:b8:0f:68:6b:78:d9:56:97:1f:86:db:8d:e7:29:8f:39:51:0d
[LOCAL] : RECV: Remote Hostkey (SHA-2 hash base64): LircEcU/OL9yfg6kMv24D2hreNlWlx+G243nKY85UQ0
[LOCAL] : RECV: Remote Hostkey (SHA-1 hash): 05:f5:91:c4:04:9c:ef:f6:dc:a9:f9:0f:e1:a5:c7:76:db:ef:bf:c2
[LOCAL] : RECV: Remote Hostkey (MD5 hash): 4b:8f:84:c6:bf:5d:61:08:68:43:dc:b1:b9:fe:c1:7f
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : Authenticating as user <username>
[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-2 hash): cf:2e:52:0c:da:f5:19:a5:c2:18:07:bd:63:32:4c:1a:fd:2f:53:b4:c1:b3:19:c1:ae:81:58:32:2c:78:41:a8]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-1 hash): 06:15:1f:27:35:45:94:0b:20:69:2c:dc:e9:e8:60:4d:b1:ca:dc:4f]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (MD5 hash): 36:f4:a7:71:80:aa:3f:18:6a:80:b8:55:0a:8c:1d:a4]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (SHA-2 hash): cf:2e:52:0c:da:f5:19:a5:c2:18:07:bd:63:32:4c:1a:fd:2f:53:b4:c1:b3:19:c1:ae:81:58:32:2c:78:41:a8]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (SHA-1 hash): 06:15:1f:27:35:45:94:0b:20:69:2c:dc:e9:e8:60:4d:b1:ca:dc:4f]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,agent,fingerprint (MD5 hash): 36:f4:a7:71:80:aa:3f:18:6a:80:b8:55:0a:8c:1d:a4]
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password]

[LOCAL] : SEND: Disconnect packet: The user canceled authentication.
[LOCAL] : Changing state from STATE_CONNECTION to STATE_SEND_DISCONNECT
[LOCAL] : Changing state from STATE_SEND_DISCONNECT to STATE_CLOSED
[LOCAL] : Connected for 5 seconds, 2242 bytes sent, 3261 bytes received

[LOCAL] : Stream has closed [CLOSE_TYPE_NO_AUTO_RECONNECT] : The user canceled authentication.




Redhat 6 Trace
[PRINTER] : Printer initialization succeeded
[LOCAL] : SSH2Core version 8.3.0.1584
[LOCAL] : Connecting to storage3:22 ...
[LOCAL] : Resolved hostname to <IP Address>:22
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.3'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host/storage3 <snip>
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host/storage3 <snip>
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha2-512
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha2-512
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
SecureCRT - Version 8.3.2 (x64 build 1584)
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS
[LOCAL] : RECV: Remote Hostkey (SHA-2 hash hex): 7a:5c:53:5c:4c:1d:9f:2e:d8:a6:a9:c0:93:a6:1a:73:da:3c:57:18:24:ec:e9:a2:69:f4:e9:df:59:54:48:77
[LOCAL] : RECV: Remote Hostkey (SHA-2 hash base64): elxTXEwdny7YpqnAk6Yac9o8Vxgk7OmiafTp31lUSHc
[LOCAL] : RECV: Remote Hostkey (SHA-1 hash): 23:79:69:67:53:e3:ec:f5:42:7b:80:ed:c8:a0:f4:bd:57:c1:39:42
[LOCAL] : RECV: Remote Hostkey (MD5 hash): 35:8c:e5:89:f2:01:c0:98:6e:fd:35:f2:97:39:b5:68
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : Authenticating as user <username>
[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-2 hash): cf:2e:52:0c:da:f5:19:a5:c2:18:07:bd:63:32:4c:1a:fd:2f:53:b4:c1:b3:19:c1:ae:81:58:32:2c:78:41:a8]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (SHA-1 hash): 06:15:1f:27:35:45:94:0b:20:69:2c:dc:e9:e8:60:4d:b1:ca:dc:4f]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint (MD5 hash): 36:f4:a7:71:80:aa:3f:18:6a:80:b8:55:0a:8c:1d:a4]

[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - signed,May 2000 Standard]
[LOCAL] : RECV : AUTH_SUCCESS
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 93, cols: 132)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: x11 forwarding request
[LOCAL] : RECV[0]: x11 request succeeded
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded
Sourcing ~/.env
Fri Apr 6 13:42:29 PDT 2018
Reply With Quote
  #2  
Old 04-06-2018, 03:24 PM
ekoranyi ekoranyi is offline
VanDyke Technical Support
 
Join Date: Jan 2017
Posts: 654
Hi RickVR,

The logs you provided seem to be connecting to two different devices. To help rule out configuration differences between the two servers could you provide a success/failure log from both versions to the same device? I did receive your email as well and will respond there as well. It may be easier to attach logs via email.

I'd like to see if we can rule out simple mix ups like storage4 not having been configured to accept your public key.
__________________
Thanks,
--Eric

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 02:29 PM.