EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Authentication type 2 failed

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#33043
Posted: 04/15/2015 12:23:09
by Rafael Hernandez (Standard support level)
Joined: 02/04/2015
Posts: 21

I am evaluating the SFTP portion of SecureBlackbox 12.0.268 (Java Version) and now exploring the TElSimpleSFTPClient. Using key authentication (dsa key), I'm able to establish an Sftp connection to one our internal Linux servers running OpenSSH_6.2p2, but when I try to connect to an external server running OpenSSH_5.5, I get the following error:


09:14:27.451 DEBUG {main} Server key [ac40057f892c1770634a185699fea0ea] received
09:14:27.817 DEBUG {main} Authentication type [2] failed
09:14:27.818 DEBUG {main} Client Error 114
FAILED:
SecureBlackbox.SFTPClient.EElSimpleSFTPClientError: Connection lost (error code is 10058)
at SecureBlackbox.SFTPClient.TElSimpleSFTPClient.doSend(SBSimpleSftp.pas:1742)


I've attempted the suggestions in the FAQ article without any luck (https://www.eldos.com/security/articles/4796.phppage=2). I've also read various threads on the forum and tried tweaking the algorithm(s) configuration but same result. The sample client yields the same result with the live external Sftp Server and with Sample Sftp Server as well.


The following is the code I use and the SSH level-3 debug log that is outputted from a successful command-line OpenSSH connection to the external server:

Code
simpleSftpClient
                .setAuthenticationTypes(SBSSHConstants.SSH_AUTH_TYPE_PUBLICKEY);
        TElSSHMemoryKeyStorage keyStorage = new TElSSHMemoryKeyStorage();
        TElSSHKey key = new TElSSHKey();
        key.loadPrivateKey(privateKeyPath, "");
        keyStorage.add(key);
        simpleSftpClient.setKeyStorage(keyStorage);
        simpleSftpClient.open();



Note: For security purposes, I've masked/changed some information form it's original form.

Quote

OpenSSH_6.7p1, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /Users/devuser/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to my.host.com [00.00.000.000] port 22.
debug1: Connection established.
debug1: identity file /Users/devuser/id_dsa_zztop type 2
debug1: key_load_public: No such file or directory
debug1: identity file /Users/devuser/id_dsa_zztop-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "my.host.com" from file "/Users/devuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/devuser/.ssh/known_hosts:12
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: setup hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1018/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA e2:2c:5b:2e:2a:95:58:92:88:d2:98:73:f0:2d:27:3f
debug3: load_hostkeys: loading entries for host "my.host.com" from file "/Users/devuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/devuser/.ssh/known_hosts:12
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "00.00.000.000" from file "/Users/devuser/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/devuser/.ssh/known_hosts:12
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'my.host.com' is known and matches the RSA host key.
debug1: Found key in /Users/devuser/.ssh/known_hosts:12
debug2: bits set: 1037/2048
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/devuser/id_dsa_zztop (0x7fa8b0d005e0), explicit
debug3: input_userauth_banner
Some External Company - SFTP Custom Interface Version 6.0
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /Users/devuser/id_dsa_zztop
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 434
debug2: input_userauth_pk_ok: fp da:75:40:aa:99:61:48:4b:2a:61:df:24:0b:66:2e:18
debug3: sign_and_send_pubkey: DSA da:75:40:a:99:61:48:4b:2a:61:df:24:0b:66:2e:18
debug1: Authentication succeeded (publickey).
Authenticated to my.host.com ([00.00.000.000]:22).
debug2: fd 5 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x08
debug2: client_session2_setup: id 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug2: Remote version: 3
debug2: Server supports extension "posix-rename@openssh.com" revision 1
debug2: Server supports extension "statvfs@openssh.com" revision 2
debug2: Server supports extension "fstatvfs@openssh.com" revision 2
Connected to my.host.com.
debug3: Sent message fd 3 T:16 I:1
debug3: SSH_FXP_REALPATH . -> /ourcompany_UAT.fromzztop size 0
sftp>


Which configuration parameters do you suggest in order to enable successful key authentication via TElSimpleSFTPClient?
#33044
Posted: 04/15/2015 12:32:50
by Eugene Mayevski (EldoS Corp.)

In your case the error is crystal-clear - key-based authentication didn't succeed and the server has closed connection because authentication failed in whole.

Most likely it was the wrong private key loaded (or not loaded at all).

LoadPrivateKey method returns the result code. It would be nice if you checked it and ensured that the key is loaded, i.e. result code is 0.


Sincerely yours
Eugene Mayevski
#33045
Posted: 04/15/2015 13:13:42
by Rafael Hernandez (Standard support level)
Joined: 02/04/2015
Posts: 21

Thanks for the prompt response. I verified the result code to be 0.

I've also verified that all connection parameters are correct multiple times and also have compared it to the parameters I use via the successful sftp command (same ones in my code).

sftp -oIdentityFile=/Users/devuser/id_dsa remoteuser@myhost.com

Again, when I change parameters to point to another SFTP Server (username, host, keyPath etc), the connection works fine. Please let me know how I can proceed with troubleshooting. Thanks.
#33046
Posted: 04/15/2015 13:20:56
by Eugene Mayevski (EldoS Corp.)

Please ensure that you specify the Username property as well (besides the key). It's not clear whether you set it or not from your above code excerpt.


Sincerely yours
Eugene Mayevski
#33047
Posted: 04/15/2015 13:32:50
by Rafael Hernandez (Standard support level)
Joined: 02/04/2015
Posts: 21

My apologies for being unclear. Yes, I am setting the username in this fashion:


Code

      String privateKeyPath = "/Users/devuser/id_dsa";
      String host ="myhost.com"; //also tried IP
      int port = 22;
      String username = "remoteuser";

       TElSimpleSFTPClient simpleClient = new TElSimpleSFTPClient();
        simpleClient.setUsername( username );
        simpleClient.setAddress( host );
        simpleClient.setPort( port);
        simpleSftpClient
                .setAuthenticationTypes(SBSSHConstants.SSH_AUTH_TYPE_PUBLICKEY);
        TElSSHMemoryKeyStorage keyStorage = new TElSSHMemoryKeyStorage();
        TElSSHKey key = new TElSSHKey();
        int errorCode = key.loadPrivateKey(privateKeyPath, "");
        keyStorage.add(key);
        simpleSftpClient.setKeyStorage(keyStorage);
        simpleSftpClient.open();
#33048
Posted: 04/15/2015 14:06:11
by Eugene Mayevski (EldoS Corp.)

I have only one guess - something Java-specific doesn't work again. The only option at this stage is for us to have the keypair and test the connection locally (at least with a test server but better with your real server).

If you can pass us the keypair, please let us know and I will create a HelpDesk ticket for you, where you would be able to do this confidentially (or we will arrange other channel for key transport).

Alternatively, if this is technically possible for you, you can try to use the keypair provided in <SecureBlackbox>\Extra\SSHKeys directory on your disk for authentication on your server. If this doesn't work, we'll be able to use our keypair for further tests.


Sincerely yours
Eugene Mayevski
#33049
Posted: 04/15/2015 15:05:50
by Rafael Hernandez (Standard support level)
Joined: 02/04/2015
Posts: 21

Thanks for the reply. I will check on the feasibility of these options and get back to you.
#33181
Posted: 04/30/2015 15:31:54
by Rafael Hernandez (Standard support level)
Joined: 02/04/2015
Posts: 21

I am ready to proceed to next step. Can you please create a HelpDesk ticket and some instructions on how to transfer the key pair confidentially? Thanks.
#33188
Posted: 05/01/2015 02:23:32
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

I've created a Helpdesk ticket for you. Please attach files in the created ticket.

Helpdesk is our easy-to-use ticketing system that allows communicating and exchanging sample data with our support personnel privately. You will also get e-mail notifications about updates of your support ticket.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1436 times

none




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!