Intermittent error "gsskex integrity failure"

Advertisement

EpaL
Guest

Intermittent error "gsskex integrity failure"

Hi,

I have just recently build a new Sun T5220 server with Solaris 10 running SSH-2.0-Sun_SSH_1.1. Unfortunately i'm receiving these strange errors when trying to connect with WinSCP using SFTP:

"gsskex integrity failure"

The errors don't always occur - sometimes it works fine.

Is there a log file or some other diagnostic I can send over that might help isolate the cause?

Many thanks in advance.

Reply with quote

Advertisement

Guest

Re: Intermittent error "gsskex integrity failure"

martin wrote:

What version of WinSCP are you using?

4.1.5 (Build 410)

Reply with quote

Guest

Hi again,

It looks like i've found a workaround for this. Edit the session and go to "Key Exchange" and move the "Diffie-Hellman group xxxx" lines to the top. This seems to fix the problem.

Cheers,
Ed

Reply with quote

martin
Site Admin
martin avatar

It looks like i've found a workaround for this. Edit the session and go to "Key Exchange" and move the "Diffie-Hellman group xxxx" lines to the top. This seems to fix the problem.
Thanks for sharing this.

Reply with quote

Advertisement

martin
Site Admin
martin avatar

I get the same error and your fix solves the problem in GUI mode. How do I fix it when i script a connection?
Please read FAQ. If that does not help, come back.

Reply with quote

Advertisement

Crabece
Guest

gsskex integrity failure in script mode

I got the same error as the previous Guest using Script connection and I'm not able to solve it after some research.
Here is the command.bat what I tried :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This is OK. But I have the famous : 2012-10-09 13:42:36.183 gsskex integrity failure in the log.


So I tried the following :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" -rawsettings="KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This does not work... I exits the console without leaving any message in the .log file.

I found the -rawsettings option by generating a new seesion and checking the .ini file which gave me the following:
[Sessions\User@dns.name.of.the.server]
HostName=dns.name.of.the.server
KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN
UserName=User
PublicKeyFile=C:\PathoftheKey\Key.ppk

Any clues anyone?
NB: I changed the files and server names/path but the script has been tested and works well except for the gsskex integrity failure for this specific server

Reply with quote

Crabece
Guest

Re: gsskex integrity failure in script mode

Crabece wrote:

I got the same error as the previous Guest using Script connection and I'm not able to solve it after some research.
Here is the command.bat what I tried :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This is OK. But I have the famous : 2012-10-09 13:42:36.183 gsskex integrity failure in the log.


So I tried the following :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" -rawsettings="KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This does not work... I exits the console without leaving any message in the .log file.

I found the -rawsettings option by generating a new seesion and checking the .ini file which gave me the following:
[Sessions\User@dns.name.of.the.server]
HostName=dns.name.of.the.server
KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN
UserName=User
PublicKeyFile=C:\PathoftheKey\Key.ppk

Any clues anyone?
NB: I changed the files and server names/path but the script has been tested and works well except for the gsskex integrity failure for this specific server


I can provide you the full connection log of the gsskex integrity failure (with the script that has NOT -rawsettings parameter).

I saw it seems to be using the "Diffie-Hellman group exchange" algorithm for key exchange, so I might be wrong about the source of the issue...

Here is the full log:

Crabece wrote:


. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 WinSCP Version 4.1.9 (Build 416) (OS 5.1.2600 Service Pack 3)
. 2012-10-09 13:42:35.667 Login time: Tuesday, October 09, 2012 1:42:35 PM
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Session name: User@dns.name.of.the.server
. 2012-10-09 13:42:35.667 Host name: dns.name.of.the.server (Port: 22)
. 2012-10-09 13:42:35.667 User name: User (Password: No, Key file: Yes)
. 2012-10-09 13:42:35.667 Tunnel: No
. 2012-10-09 13:42:35.667 Transfer Protocol: SFTP
. 2012-10-09 13:42:35.667 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-10-09 13:42:35.667 Proxy: none
. 2012-10-09 13:42:35.667 SSH protocol version: 2; Compression: No
. 2012-10-09 13:42:35.667 Bypass authentication: No
. 2012-10-09 13:42:35.667 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-10-09 13:42:35.667 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-10-09 13:42:35.667 SSH Bugs: -,-,-,-,-,-,-,-
. 2012-10-09 13:42:35.667 SFTP Bugs: -,-
. 2012-10-09 13:42:35.667 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-10-09 13:42:35.667 Shell: default, EOL: 0
. 2012-10-09 13:42:35.667 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-10-09 13:42:35.667 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-10-09 13:42:35.667 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-10-09 13:42:35.667 Cache directory changes: Yes, Permanent: Yes
. 2012-10-09 13:42:35.667 DST mode: 1
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Looking up host "dns.name.of.the.server"
. 2012-10-09 13:42:35.667 Connecting to IP.Address.Of.Server port 22
. 2012-10-09 13:42:35.808 Server version: SSH-2.0-WRQReflectionforSecureIT_7.2.1 Build 736
. 2012-10-09 13:42:35.808 We claim version: SSH-2.0-WinSCP_release_4.1.9
. 2012-10-09 13:42:35.808 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:35.808 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:35.808 Enabling GSSKEX for this target
. 2012-10-09 13:42:35.808 Using SSH protocol version 2
. 2012-10-09 13:42:35.808 Doing Diffie-Hellman group exchange
. 2012-10-09 13:42:36.058 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-10-09 13:42:36.105 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:36.105 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:36.183 VerifySignature: The message or signature supplied for verification has been altered

. 2012-10-09 13:42:36.183 gsskex integrity failure


Any help?

Reply with quote

Crabece
Guest

Re: gsskex integrity failure in script mode

Crabece wrote:

Crabece wrote:

I got the same error as the previous Guest using Script connection and I'm not able to solve it after some research.
Here is the command.bat what I tried :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This is OK. But I have the famous : 2012-10-09 13:42:36.183 gsskex integrity failure in the log.


So I tried the following :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" -rawsettings="KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This does not work... I exits the console without leaving any message in the .log file.

I found the -rawsettings option by generating a new seesion and checking the .ini file which gave me the following:
[Sessions\User@dns.name.of.the.server]
HostName=dns.name.of.the.server
KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN
UserName=User
PublicKeyFile=C:\PathoftheKey\Key.ppk

Any clues anyone?
NB: I changed the files and server names/path but the script has been tested and works well except for the gsskex integrity failure for this specific server


I can provide you the full connection log of the gsskex integrity failure (with the script that has NOT -rawsettings parameter).

I saw it seems to be using the "Diffie-Hellman group exchange" algorithm for key exchange, so I might be wrong about the source of the issue...

Here is the full log:

Crabece wrote:


. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 WinSCP Version 4.1.9 (Build 416) (OS 5.1.2600 Service Pack 3)
. 2012-10-09 13:42:35.667 Login time: Tuesday, October 09, 2012 1:42:35 PM
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Session name: User@dns.name.of.the.server
. 2012-10-09 13:42:35.667 Host name: dns.name.of.the.server (Port: 22)
. 2012-10-09 13:42:35.667 User name: User (Password: No, Key file: Yes)
. 2012-10-09 13:42:35.667 Tunnel: No
. 2012-10-09 13:42:35.667 Transfer Protocol: SFTP
. 2012-10-09 13:42:35.667 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-10-09 13:42:35.667 Proxy: none
. 2012-10-09 13:42:35.667 SSH protocol version: 2; Compression: No
. 2012-10-09 13:42:35.667 Bypass authentication: No
. 2012-10-09 13:42:35.667 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-10-09 13:42:35.667 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-10-09 13:42:35.667 SSH Bugs: -,-,-,-,-,-,-,-
. 2012-10-09 13:42:35.667 SFTP Bugs: -,-
. 2012-10-09 13:42:35.667 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-10-09 13:42:35.667 Shell: default, EOL: 0
. 2012-10-09 13:42:35.667 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-10-09 13:42:35.667 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-10-09 13:42:35.667 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-10-09 13:42:35.667 Cache directory changes: Yes, Permanent: Yes
. 2012-10-09 13:42:35.667 DST mode: 1
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Looking up host "dns.name.of.the.server"
. 2012-10-09 13:42:35.667 Connecting to IP.Address.Of.Server port 22
. 2012-10-09 13:42:35.808 Server version: SSH-2.0-WRQReflectionforSecureIT_7.2.1 Build 736
. 2012-10-09 13:42:35.808 We claim version: SSH-2.0-WinSCP_release_4.1.9
. 2012-10-09 13:42:35.808 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:35.808 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:35.808 Enabling GSSKEX for this target
. 2012-10-09 13:42:35.808 Using SSH protocol version 2
. 2012-10-09 13:42:35.808 Doing Diffie-Hellman group exchange
. 2012-10-09 13:42:36.058 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-10-09 13:42:36.105 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:36.105 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:36.183 VerifySignature: The message or signature supplied for verification has been altered

. 2012-10-09 13:42:36.183 gsskex integrity failure


Any help?

FYI I updated my WinSCP Version to 5.1.0 and this solved the problem.
I Hope this helps

Reply with quote

Advertisement

You can post new topics in this forum