Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 05-08-2014, 07:37 AM
evoxfan evoxfan is offline
Registered User
 
Join Date: Nov 2012
Posts: 9
SSH2 Key Exchange Failure

I'm getting this key exchange failure when attempting an ssh2 to a far end device. It looks to be the exact problem outlined in this thread, but the solution provided doesn't work for me. I'm running version 7.1.3 x64 on Windows 7 Pro x64.

Here's the info on the far end device. I think it is running Solaris, but I'm not sure.

Device model: Brix 3100
Device serial number: XXXXXXXXX
Monolith image: b3100-x86_64-monolith-11Dec2013.11.5845.b3100
Monolith build date: Wed Dec 11 11:39:19 EST 2013
Monolith revision: 8.2.1
FPGA version: 0x8d
Board version: 0x2
Test module serial number: 716723

Here is my trace options capture:

[LOCAL] : SSH2Core version 7.1.0.378
[LOCAL] : Connecting to XX.XXX.XX.XXX:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_4.2'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : CAP : Remote correctly handles zlib@openssh.com
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group1-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED
[LOCAL] : Connected for 0 seconds, 611 bytes sent, 724 bytes received
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : Connection closed.
SecureCRT - Version 7.1.3 (x64 build 378)

Connection closed.

Last edited by evoxfan; 05-08-2014 at 08:33 AM. Reason: Remove possible sensitive data
Reply With Quote
  #2  
Old 05-08-2014, 08:44 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi evoxfan,

This doesn't really look like the same issue. Are you able to connect to the device using any other SSH client?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #3  
Old 05-08-2014, 08:56 AM
evoxfan evoxfan is offline
Registered User
 
Join Date: Nov 2012
Posts: 9
Yes I can connect using PuTTy.
Reply With Quote
  #4  
Old 05-08-2014, 09:06 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi evoxfan,

Here you can see what host key algorithm SecureCRT is choosing:
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
If you log your PuTTy connection, what host key algorithm is being chosen?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #5  
Old 05-08-2014, 09:15 AM
evoxfan evoxfan is offline
Registered User
 
Join Date: Nov 2012
Posts: 9
Here's the key exchanges lines from the putty log.

Event Log: Using SSH protocol version 2
Incoming packet type 20 / 0x14 (SSH2_MSG_KEXINIT)

Event Log: Using SSH protocol version 2
Incoming packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
00000000 00 00 08 00 ....
Incoming packet type 31 / 0x1f (SSH2_MSG_KEX_DH_GEX_GROUP)

00000000 00 00 08 00 ....
Incoming packet type 31 / 0x1f (SSH2_MSG_KEX_DH_GEX_GROUP)

Incoming packet type 33 / 0x21 (SSH2_MSG_KEX_DH_GEX_REPLY)

Event Log: Host key fingerprint is:
Event Log: ssh-rsa 2048 50:ea:90:20:35:e2:c5:19:5a:bf:31:3e:10:db:1d:59
Outgoing packet type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Initialised AES-256 SDCTR client->server encryption
Event Log: Initialised HMAC-SHA1 client->server MAC algorithm
Incoming packet type 21 / 0x15 (SSH2_MSG_NEWKEYS)
Event Log: Initialised AES-256 SDCTR server->client encryption
Event Log: Initialised HMAC-SHA1 server->client MAC algorithm
Outgoing packet type 5 / 0x05 (SSH2_MSG_SERVICE_REQUEST)

Incoming packet type 6 / 0x06 (SSH2_MSG_SERVICE_ACCEPT)

Outgoing packet type 50 / 0x32 (SSH2_MSG_USERAUTH_REQUEST)

Event Log: Sent password
Incoming packet type 52 / 0x34 (SSH2_MSG_USERAUTH_SUCCESS)
Event Log: Access granted
Outgoing packet type 90 / 0x5a (SSH2_MSG_CHANNEL_OPEN)

Incoming packet type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)

Incoming packet type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
Reply With Quote
  #6  
Old 05-08-2014, 09:55 AM
evoxfan evoxfan is offline
Registered User
 
Join Date: Nov 2012
Posts: 9
Here's a screen shot of the putty key exchange settings.
Attached Images
File Type: png putty.png (14.9 KB, 1627 views)
Reply With Quote
  #7  
Old 05-08-2014, 02:21 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi evoxfan,

In the putty log, you don't see where it selects ssh-rsa, but you can see the following indicating that ssh-rsa was selected:
Event Log: ssh-rsa 2048 50:ea:90:20:35:e2:c5:19:5a:bf:31:3e:10:db:1d:59

We have seen issues with some SSH servers which advertise that they support ssh-dss, but don't really support it. This could be a configuration issue or a bug in the server.

SecureCRT prefers ssh-dss, and if a server advertises that it supports it, SecureCRT will select it.

It is possible to configure SecureCRT to prefer ssh-rsa, but in your version a registry change is required.
WARNING:
If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Here is the information to edit the registry so SecureCRT will prefer ssh-rsa:
Path: HKEY_CURRENT_USER\Software\Policies\VanDyke
Key (REG_SZ) Name: "Host Key Algorithms"

Value: comma-separated, ordered list (no spaces) of algorithms our clients will support.
For example:
ssh-rsa, ssh-dss, x509v3-sign-rsa, x509v3-sign-dss
Does this help to resolve the issue?
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #8  
Old 05-08-2014, 02:26 PM
evoxfan evoxfan is offline
Registered User
 
Join Date: Nov 2012
Posts: 9
Quote:
Originally Posted by rtb View Post
Path: HKEY_CURRENT_USER\Software\Policies\VanDyke
Key (REG_SZ) Name: "Host Key Algorithms"

Value: comma-separated, ordered list (no spaces) of algorithms our clients will support.
For example:
ssh-rsa, ssh-dss, x509v3-sign-rsa, x509v3-sign-dss
Does this help to resolve the issue?
I don't see a Vandyke folder at this location in my registry. The only folders I have are "Microsoft" and "Power". Should I create it?
Reply With Quote
  #9  
Old 05-08-2014, 03:01 PM
evoxfan evoxfan is offline
Registered User
 
Join Date: Nov 2012
Posts: 9
I created this key and it now works. Thanks for the work around solution!
Reply With Quote
  #10  
Old 05-08-2014, 03:03 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi evoxfan,

I was just about to reply that you need to create the VanDyke folder, and you beat me to the post.

I am glad to hear that you are now able to connect to the server using SecureCRT.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #11  
Old 07-11-2019, 09:13 PM
dev_singh2487 dev_singh2487 is offline
Registered User
 
Join Date: Jul 2019
Posts: 3
Unable to use ssh

Unable to use SSH to my cisco routers .. Putty works fine


version 6.6.3
Reply With Quote
  #12  
Old 07-12-2019, 08:27 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,046
Hi dev_singh2487,

Sorry, but "unable to use SSH" does not provide enough info.

Is it a connection error?

Or an authentication error?

Or a key exchange error as the title of the forum thread suggest?

What error are you getting?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #13  
Old 07-12-2019, 08:50 AM
dev_singh2487 dev_singh2487 is offline
Registered User
 
Join Date: Jul 2019
Posts: 3
Trace logs

This is what I get

SecureCRT - Version 6.6.3 (x64 build 412)
[LOCAL] : SSH2Core version 6.6.0.412
[LOCAL] : Connecting to 10.200.190.13:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-Cisco-1.25'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote uses SHA1 hash in RSA signatures for x.509v3
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos] SPN : host@10.200.190.13
[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos] SPN : host@10.200.190.13
[LOCAL] : GSS : [Kerberos] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SSPI : Requesting full delegation
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@10.200.190.13
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : SSPI : [Kerberos (Group Exchange)] The specified target is unknown or unreachable
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : [Kerberos (Group Exchange)] SPN : host@10.200.190.13
[LOCAL] : GSS : [Kerberos (Group Exchange)] InitializeSecurityContext() failed.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': The specified module could not be found.
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : GSS : [Kerberos (Group Exchange)] Disabling gss mechanism
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group-exchange-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa
[LOCAL] : Selected Host Key Algo = ssh-rsa
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-sha1
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-sha1
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_GEX_REQUEST
[LOCAL] : Stream has closed [CLOSE_TYPE_NONSPECIFIC] : The operation completed successfully.
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_CLOSED
[LOCAL] : Connected for 0 seconds, 635 bytes sent, 227 bytes received
Reply With Quote
  #14  
Old 07-12-2019, 09:58 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,046
Hi dev_singh2487,

Note that SecureCRT *receives* the TCP/IP close from the remote:

[LOCAL] : RECV: TCP/IP close

Version 6.6 is at least 10 years old. What are your results with the current version, 8.5.4?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #15  
Old 07-12-2019, 09:59 AM
dev_singh2487 dev_singh2487 is offline
Registered User
 
Join Date: Jul 2019
Posts: 3
SSH issue

Works well with newer version .Will get an upgrade .Thanks
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 03:34 AM.