SFTP connection to Huawei S5720 fail with : Signature from server's host key is invalid

Advertisement

valfredini
Donor
Joined:
Posts:
6
Location:
Italy

SFTP connection to Huawei S5720 fail with : Signature from server's host key is invalid

I am using WinSCP version 6.3.3 (Build 14916 2024-0416) on windows 11.
I followed the Huawei doc in order to enable SFTP on the switch HUAWEI S5720 other connection to HPE switch work correctly.

The problem is with the host key (one line from the log file i atthached) :
Doing Diffie-Hellman key exchange using 2048-bit modulus and hash SHA-1 with standard group "group14"
T tried to generate a 1024 bit key in case WinSCP cannot handle this key but RSA key in Huawei can only be 2048 bits, see below
[SW_WH1_RK_A]rsa local-key-pair create 
The key name will be: SW_WH1_RK_A_Host
% RSA keys defined for SW_WH1_RK_A_Host already exist.
Confirm to replace them? [y/n]:y
The range of public key size is (2048 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
       it will take a few minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
The WinSCP log level 2 advance debug mode is here below

Looking forward to know about what kind of error I am doing.

Thanks in advance.

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,276
Location:
Prague, Czechia

Re: sftp connection to HUAWEI S5720 fail with : Signature from server's host key is invalid

Can you connect to your SFTP server using any other SFTP/SSH client? Post its log file, if you can.

Reply with quote

valfredini
Donor
Joined:
Posts:
6
Location:
Italy

Re: sftp connection to HUAWEI S5720 fail with : Signature from server's host key is invalid

Here you are i attached the log file of SecureCRT take alook of it but as far as i can see :
LOCAL] : SSH2Core version 9.5.2.3325 
[LOCAL] : Connecting to 10.41.210.240:22 ... 
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT 
SecureCRT - Version 9.5.2 (x64 build 3325) Serial Number 03-91-000511
[LOCAL] : Using protocol SSH2 
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0--' 
[LOCAL] : CAP  : Remote can re-key 
[LOCAL] : CAP  : Remote sends language in password change requests 
[LOCAL] : CAP  : Remote sends algorithm name in PK_OK packets 
[LOCAL] : CAP  : Remote sends algorithm name in public key packets 
[LOCAL] : CAP  : Remote sends algorithm name in signatures 
[LOCAL] : CAP  : Remote sends error text in open failure packets 
[LOCAL] : CAP  : Remote sends name in service accept packets 
[LOCAL] : CAP  : Remote includes port number in x11 open packets 
[LOCAL] : CAP  : Remote uses 160 bit keys for SHA1 MAC 
[LOCAL] : CAP  : Remote supports new diffie-hellman group exchange messages 
[LOCAL] : CAP  : Remote correctly handles unknown SFTP extensions 
[LOCAL] : CAP  : Remote correctly encodes OID for gssapi 
[LOCAL] : CAP  : Remote correctly uses connected addresses in forwarded-tcpip requests 
[LOCAL] : CAP  : Remote can do SFTP version 4 
[LOCAL] : CAP  : Remote uses SHA1 hash in RSA signatures for x.509v3 
[LOCAL] : CAP  : Remote x.509v3 uses ASN.1 encoding for DSA signatures 
[LOCAL] : CAP  : Remote correctly handles zlib@openssh.com 
[LOCAL] : SSPI : Requesting full delegation 
[LOCAL] : SSPI : [Kerberos] SPN : host@10.41.210.240 
[LOCAL] : SSPI : [Kerberos] InitializeSecurityContext() failed. 
[LOCAL] : SSPI : [Kerberos] Destinazione specificata sconosciuta o non raggiungibile  
[LOCAL] : SSPI : [Kerberos] Disabling gss mechanism 
[LOCAL] : GSS  : Requesting full delegation 
[LOCAL] : GSS  : [Kerberos] SPN : host@10.41.210.240 
[LOCAL] : GSS  : [Kerberos] InitializeSecurityContext() failed. 
[LOCAL] : GSS  : [Kerberos] Could not load library 'gssapi64.dll': Impossibile trovare il modulo specificato.   
[LOCAL] : GSS  : [Kerberos] Disabling gss mechanism 
[LOCAL] : GSS  : [Kerberos] Disabling gss mechanism 
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==  
[LOCAL] : SSPI : Requesting full delegation 
[LOCAL] : SSPI : [Kerberos (Group Exchange)] SPN : host@10.41.210.240 
[LOCAL] : SSPI : [Kerberos (Group Exchange)] InitializeSecurityContext() failed. 
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Destinazione specificata sconosciuta o non raggiungibile  
[LOCAL] : SSPI : [Kerberos (Group Exchange)] Disabling gss mechanism 
[LOCAL] : GSS  : Requesting full delegation 
[LOCAL] : GSS  : [Kerberos (Group Exchange)] SPN : host@10.41.210.240 
[LOCAL] : GSS  : [Kerberos (Group Exchange)] InitializeSecurityContext() failed. 
[LOCAL] : GSS  : [Kerberos (Group Exchange)] Could not load library 'gssapi64.dll': Impossibile trovare il modulo specificato.   
[LOCAL] : GSS  : [Kerberos (Group Exchange)] Disabling gss mechanism 
[LOCAL] : GSS  : [Kerberos (Group Exchange)] Disabling gss mechanism 
[LOCAL] : The following key exchange method has been filtered from the key exchange method list because it is not supported: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==  
[LOCAL] : SEND : KEXINIT 
[LOCAL] : RECV : Read kexinit 
[LOCAL] : Available Local Kex Methods = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com 
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group14-sha1 
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1 
[LOCAL] : Available Local Host Key Algos = ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-ed25519,x509v3-rsa2048-sha256,x509v3-ssh-rsa,x509v3-sign-rsa,x509v3-ssh-dss,x509v3-sign-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ssh-rsa,ssh-dss 
[LOCAL] : Available Remote Host Key Algos = ecdsa-sha2-nistp521,ssh-dss,ssh-rsa 
[LOCAL] : Selected Host Key Algo = ecdsa-sha2-nistp521 
[LOCAL] : Available Local Send Ciphers = aes256-cbc,aes192-cbc,aes128-cbc,twofish-cbc,3des-cbc,aes256-ctr,aes192-ctr,aes128-ctr 
[LOCAL] : Available Remote Send Ciphers = aes128-ctr,aes256-cbc,aes128-cbc 
[LOCAL] : Selected Send Cipher = aes256-cbc 
[LOCAL] : Available Local Recv Ciphers = aes256-cbc,aes192-cbc,aes128-cbc,twofish-cbc,3des-cbc,aes256-ctr,aes192-ctr,aes128-ctr 
[LOCAL] : Available Remote Recv Ciphers = aes128-ctr,aes256-cbc,aes128-cbc 
[LOCAL] : Selected Recv Cipher = aes256-cbc 
[LOCAL] : Available Local Send Macs = hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,umac-64@openssh.com 
[LOCAL] : Available Remote Send Macs = hmac-sha2-256,hmac-sha2-256-96,hmac-sha1,hmac-md5 
[LOCAL] : Selected Send Mac = hmac-sha2-256 
[LOCAL] : Available Local Recv Macs = hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,umac-64@openssh.com 
[LOCAL] : Available Remote Recv Macs = hmac-sha2-256,hmac-sha2-256-96,hmac-sha1,hmac-md5 
[LOCAL] : Selected Recv Mac = hmac-sha2-256 
[LOCAL] : Available Local Compressors = zlib,none 
[LOCAL] : Available Remote Compressors = none,zlib 
[LOCAL] : Selected Compressor = zlib 
[LOCAL] : Available Local Decompressors = zlib,none 
[LOCAL] : Available Remote Decompressors = none,zlib 
[LOCAL] : Selected Decompressor = zlib 
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE 
[LOCAL] : SEND : KEXDH_INIT 
[LOCAL] : RECV : KEXDH_REPLY 
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_READY_FOR_NEW_KEYS 
[LOCAL] : RECV: Remote Hostkey ecdsa-sha2-nistp521 521 (SHA-2 hash hex): c8:01:48:e9:04:89:77:fe:e1:24:8e:61:61:a3:a6:9e:2a:c3:c6:2c:28:e7:4b:15:ee:64:0e:d0:52:45:b9:92 
[LOCAL] : RECV: Remote Hostkey ecdsa-sha2-nistp521 521 (SHA-2 hash base64): yAFI6QSJd/7hJI5hYaOmnirDxiwo50sV7mQO0FJFuZI 
[LOCAL] : RECV: Remote Hostkey ecdsa-sha2-nistp521 521 (SHA-1 hash): d7:53:c3:13:ee:d6:35:0c:dd:86:24:97:af:79:c5:dc:3c:b1:ff:6e 
[LOCAL] : RECV: Remote Hostkey ecdsa-sha2-nistp521 521 (MD5 hash): 11:14:e5:42:3d:68:76:bd:f7:df:e1:e1:fe:9b:11:a8 
[LOCAL] : SEND : NEWKEYS 
[LOCAL] : Changing state from STATE_READY_FOR_NEW_KEYS to STATE_EXPECT_NEWKEYS 
[LOCAL] : RECV : NEWKEYS 
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION 
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth] 
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK 
[LOCAL] : SENT : USERAUTH_REQUEST [none] 
[LOCAL] : Authenticating as user xxxxxxxxxxxxxxxx  
[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,keyboard-interactive,password] 
[LOCAL] : SENT : USERAUTH_REQUEST [password] 
[LOCAL] : RECV : AUTH_SUCCESS 
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 54, cols: 167)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded

Info: The max number of VTY users is 10, and the number
      of current VTY users on line is 2.
      The current login time is 2024-07-04 11:29:46+00:00.
and this what inside the switch conf regarding ssh configuration :
ssh server cipher aes128_ctr aes256_cbc aes128_cbc
ssh server hmac sha2_256 sha2_256_96 sha1 md5
ssh server key-exchange dh_group14_sha1
ssh server dh-exchange min-len 2048

let me know what you find wrong

Reply with quote

martin
Site Admin
martin avatar

Re: sftp connection to HUAWEI S5720 fail with : Signature from server's host key is invalid

Thanks. Can you try it with PuTTY too?

Reply with quote

valfredini
Donor
Joined:
Posts:
6
Location:
Italy

Re: sftp connection to HUAWEI S5720 fail with : Signature from server's host key is invalid

YES sir and thank you for helping. The connection tried with PuTTY gave me the same result WinSCP gave because I think the engine of WinSCP is PuTTY.
Signatur
  00000010  65 20 66 72 6f 6d 20 73 65 72 76 65 72 27 73 20  e from server's 
  00000020  68 6f 73 74 20 6b 65 79 20 69 73 20 69 6e 76 61  host key is inva
  00000030  6c 69 64 00 00 00 02 65 6e                       lid....en
But I attach to you all the log file in order for you to better understand the problem.
My final target is to use the WinSCP Library to download the configuration file from several network switch using a PowerShell program written by:
#Created by: James Preston of The Queen's College, Oxford
#Version: 1.0 on 02/11/2015 17:05
#Website: myworldofit.net
That I have only partially modified to meet my need.
Anyway find the attached PuTTY log file.
Thank you again.

Reply with quote

Advertisement

valfredini
Donor
Joined:
Posts:
6
Location:
Italy

Re: sftp connection to HUAWEI S5720 fail with : Signature from server's host key is invalid

Hi Martin I did several action before coming back to you. I have contacted the PuTTY support, as you suggested, that did analysis of the problem and said that the problem is in the SSH server of HUAWEI switch and suggested to open a ticket to HUAWEI. I did this and their reply was use the workaround suggestd here:
https://forum.huawei.com/enterprise/en/signature-from-server-s-host-key-is-invalid/thread/667250144925597696-667213852955258880
and it works even with the last version of PuTTY. But as you know I am not using PuTTY of my PC but the one what WinSCP make use of and in this I cannot impalement any configuration.
Do you know how we can make things working?
Thank you for your support.
Roberto Valfredini

Reply with quote

valfredini
Donor
Joined:
Posts:
6
Location:
Italy

Re: sftp connection to HUAWEI S5720 fail with : Signature from server's host key is invalid

THANK YOU very much Martin what a wonderful program WinSCP.
This solved the problem and the trouble of upgrading the switch because HUAWEI tested new version S5720EI-V200R019C10SPC500.cc of firmware without this RFC problem in ssh connection and admitted the problem.
SOLVED
Roberto Valfredini

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum