Intermittent error "gsskex integrity failure" :: Support Forum

EpaL Guest

Intermittent error "gsskex integrity failure"

2008-07-16 05:25

Hi,

I have just recently build a new Sun T5220 server with Solaris 10 running SSH-2.0-Sun_SSH_1.1. Unfortunately i'm receiving these strange errors when trying to connect with WinSCP using SFTP:

"gsskex integrity failure"

The errors don't always occur - sometimes it works fine.

Is there a log file or some other diagnostic I can send over that might help isolate the cause?

Many thanks in advance.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,517
Location:: Prague, Czechia

Re: Intermittent error "gsskex integrity failure"

2008-07-16

What version of WinSCP are you using?

Reply with quote

Guest

Re: Intermittent error "gsskex integrity failure"

2008-07-17 08:37

martin wrote:

What version of WinSCP are you using?

4.1.5 (Build 410)

Reply with quote

Guest

2008-07-17 12:08

Hi again,

It looks like i've found a workaround for this. Edit the session and go to "Key Exchange" and move the "Diffie-Hellman group xxxx" lines to the top. This seems to fix the problem.

Cheers,
Ed

Reply with quote

martin◆ Site Admin

2008-07-18

It looks like i've found a workaround for this. Edit the session and go to "Key Exchange" and move the "Diffie-Hellman group xxxx" lines to the top. This seems to fix the problem.

Thanks for sharing this.

Reply with quote

buddyfriend Guest

this still works, thank you for posting this info N/T

2008-09-05 00:01

thanks

Reply with quote

Guest

2008-11-13 15:19

I get the same error and your fix solves the problem in GUI mode. How do I fix it when i script a connection?

Thanks

Reply with quote

martin◆ Site Admin

2008-11-14

I get the same error and your fix solves the problem in GUI mode. How do I fix it when i script a connection?

Please read FAQ. If that does not help, come back.

Reply with quote

nonnb Guest

Re: Intermittent error "gsskex integrity failure"

2009-07-30 14:58

Hi - might be something to do with DNS checking?

Reply with quote

Crabece Guest

gsskex integrity failure in script mode

2012-10-09 19:00

I got the same error as the previous Guest using Script connection and I'm not able to solve it after some research.
Here is the command.bat what I tried :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This is OK. But I have the famous : 2012-10-09 13:42:36.183 gsskex integrity failure in the log.

So I tried the following :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" -rawsettings="KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This does not work... I exits the console without leaving any message in the .log file.

I found the -rawsettings option by generating a new seesion and checking the .ini file which gave me the following:
[Sessions\User@dns.name.of.the.server]
HostName=dns.name.of.the.server
KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN
UserName=User
PublicKeyFile=C:\PathoftheKey\Key.ppk

Any clues anyone?
NB: I changed the files and server names/path but the script has been tested and works well except for the gsskex integrity failure for this specific server

Reply with quote

Crabece Guest

Re: gsskex integrity failure in script mode

2012-10-09 19:26

Crabece wrote:

I got the same error as the previous Guest using Script connection and I'm not able to solve it after some research.
Here is the command.bat what I tried :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This is OK. But I have the famous : 2012-10-09 13:42:36.183 gsskex integrity failure in the log.

So I tried the following :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" -rawsettings="KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This does not work... I exits the console without leaving any message in the .log file.

I found the -rawsettings option by generating a new seesion and checking the .ini file which gave me the following:
[Sessions\User@dns.name.of.the.server]
HostName=dns.name.of.the.server
KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN
UserName=User
PublicKeyFile=C:\PathoftheKey\Key.ppk

Any clues anyone?
NB: I changed the files and server names/path but the script has been tested and works well except for the gsskex integrity failure for this specific server

I can provide you the full connection log of the gsskex integrity failure (with the script that has NOT -rawsettings parameter).

I saw it seems to be using the "Diffie-Hellman group exchange" algorithm for key exchange, so I might be wrong about the source of the issue...

Here is the full log:

Crabece wrote:

. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 WinSCP Version 4.1.9 (Build 416) (OS 5.1.2600 Service Pack 3)
. 2012-10-09 13:42:35.667 Login time: Tuesday, October 09, 2012 1:42:35 PM
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Session name: User@dns.name.of.the.server
. 2012-10-09 13:42:35.667 Host name: dns.name.of.the.server (Port: 22)
. 2012-10-09 13:42:35.667 User name: User (Password: No, Key file: Yes)
. 2012-10-09 13:42:35.667 Tunnel: No
. 2012-10-09 13:42:35.667 Transfer Protocol: SFTP
. 2012-10-09 13:42:35.667 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-10-09 13:42:35.667 Proxy: none
. 2012-10-09 13:42:35.667 SSH protocol version: 2; Compression: No
. 2012-10-09 13:42:35.667 Bypass authentication: No
. 2012-10-09 13:42:35.667 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-10-09 13:42:35.667 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-10-09 13:42:35.667 SSH Bugs: -,-,-,-,-,-,-,-
. 2012-10-09 13:42:35.667 SFTP Bugs: -,-
. 2012-10-09 13:42:35.667 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-10-09 13:42:35.667 Shell: default, EOL: 0
. 2012-10-09 13:42:35.667 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-10-09 13:42:35.667 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-10-09 13:42:35.667 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-10-09 13:42:35.667 Cache directory changes: Yes, Permanent: Yes
. 2012-10-09 13:42:35.667 DST mode: 1
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Looking up host "dns.name.of.the.server"
. 2012-10-09 13:42:35.667 Connecting to IP.Address.Of.Server port 22
. 2012-10-09 13:42:35.808 Server version: SSH-2.0-WRQReflectionforSecureIT_7.2.1 Build 736
. 2012-10-09 13:42:35.808 We claim version: SSH-2.0-WinSCP_release_4.1.9
. 2012-10-09 13:42:35.808 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:35.808 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:35.808 Enabling GSSKEX for this target
. 2012-10-09 13:42:35.808 Using SSH protocol version 2
. 2012-10-09 13:42:35.808 Doing Diffie-Hellman group exchange
. 2012-10-09 13:42:36.058 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-10-09 13:42:36.105 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:36.105 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:36.183 VerifySignature: The message or signature supplied for verification has been altered

. 2012-10-09 13:42:36.183 gsskex integrity failure

Any help?

Reply with quote

Crabece Guest

Re: gsskex integrity failure in script mode

2012-10-10 17:08

Crabece wrote:

Crabece wrote:

I got the same error as the previous Guest using Script connection and I'm not able to solve it after some research.
Here is the command.bat what I tried :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This is OK. But I have the famous : 2012-10-09 13:42:36.183 gsskex integrity failure in the log.

So I tried the following :

option batch on
option confirm off
open sftp://User@dns.name.of.the.server:22 -hostkey="ssh-dss 1024 11:22:33:44:63:03:ae:b3:3c:bf:c7:14:d0:67:be:6c" -privatekey="C:\PathoftheKey\Key.ppk" -rawsettings="KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN" cd /RemoteServerpath/
option transfer binary
get FileName.XML C:\PathWhereTheFileWillbePut\File.XML
close
exit

=> This does not work... I exits the console without leaving any message in the .log file.

I found the -rawsettings option by generating a new seesion and checking the .ini file which gave me the following:
[Sessions\User@dns.name.of.the.server]
HostName=dns.name.of.the.server
KEX=dh-gex-sha1,gssapi-gex,gssapi-group14,gssapi-group1,dh-group14-sha1,dh-group1-sha1,WARN
UserName=User
PublicKeyFile=C:\PathoftheKey\Key.ppk

Any clues anyone?
NB: I changed the files and server names/path but the script has been tested and works well except for the gsskex integrity failure for this specific server

I can provide you the full connection log of the gsskex integrity failure (with the script that has NOT -rawsettings parameter).

I saw it seems to be using the "Diffie-Hellman group exchange" algorithm for key exchange, so I might be wrong about the source of the issue...

Here is the full log:

Crabece wrote:

. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 WinSCP Version 4.1.9 (Build 416) (OS 5.1.2600 Service Pack 3)
. 2012-10-09 13:42:35.667 Login time: Tuesday, October 09, 2012 1:42:35 PM
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Session name: User@dns.name.of.the.server
. 2012-10-09 13:42:35.667 Host name: dns.name.of.the.server (Port: 22)
. 2012-10-09 13:42:35.667 User name: User (Password: No, Key file: Yes)
. 2012-10-09 13:42:35.667 Tunnel: No
. 2012-10-09 13:42:35.667 Transfer Protocol: SFTP
. 2012-10-09 13:42:35.667 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-10-09 13:42:35.667 Proxy: none
. 2012-10-09 13:42:35.667 SSH protocol version: 2; Compression: No
. 2012-10-09 13:42:35.667 Bypass authentication: No
. 2012-10-09 13:42:35.667 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-10-09 13:42:35.667 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-10-09 13:42:35.667 SSH Bugs: -,-,-,-,-,-,-,-
. 2012-10-09 13:42:35.667 SFTP Bugs: -,-
. 2012-10-09 13:42:35.667 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-10-09 13:42:35.667 Shell: default, EOL: 0
. 2012-10-09 13:42:35.667 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-10-09 13:42:35.667 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-10-09 13:42:35.667 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-10-09 13:42:35.667 Cache directory changes: Yes, Permanent: Yes
. 2012-10-09 13:42:35.667 DST mode: 1
. 2012-10-09 13:42:35.667 --------------------------------------------------------------------------
. 2012-10-09 13:42:35.667 Looking up host "dns.name.of.the.server"
. 2012-10-09 13:42:35.667 Connecting to IP.Address.Of.Server port 22
. 2012-10-09 13:42:35.808 Server version: SSH-2.0-WRQReflectionforSecureIT_7.2.1 Build 736
. 2012-10-09 13:42:35.808 We claim version: SSH-2.0-WinSCP_release_4.1.9
. 2012-10-09 13:42:35.808 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:35.808 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:35.808 Enabling GSSKEX for this target
. 2012-10-09 13:42:35.808 Using SSH protocol version 2
. 2012-10-09 13:42:35.808 Doing Diffie-Hellman group exchange
. 2012-10-09 13:42:36.058 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-10-09 13:42:36.105 SSPI: acquired credentials for: MyADUserName@AD.Domain.Name
. 2012-10-09 13:42:36.105 Constructed service principal name 'host/dns.name.of.the.server'
. 2012-10-09 13:42:36.183 VerifySignature: The message or signature supplied for verification has been altered

. 2012-10-09 13:42:36.183 gsskex integrity failure

Any help?