UPDATED Please read: Host key signature failure error

[tcaduto12068]

Hi,
We have a new client that uses sterling file gateway to send us files and they get this error:

<Prev_NotSuccess_Adv_Status>The host key signature is invalid [Unknown cause]:SSH_DISCONNECT_BY_APPLICATION:SFTP session channel closed by server.: </Prev_NotSuccess_Adv_Status>
<ERROR_SERVICE>

And I get this on the Sbridge SFTP server:
SSH Client(0.0.0.0:11015) ERROR for user:N/A:Authentication failed

So for whatever reason the host key is not matching up with what's on the server, this only happens when they send multiple files at the same time.


Is there anyway you guys can improve the error message in this case? I looked in the code and it's only in one spot the server raises this message and it's really generic.

We think it's something on their side as they had both a RSA and DSA key in their know hosts file. We do have both types of keys defined on the Sbridge server but that should not be an issue. We think it's some bug in their client code. But my main reason is that the error message Sbridge raises in this case is way to generic and would have had no way to know it was a server host key signature failure.

[ViktorV]

Thank you for the information. We’ll release that functionality in the next SecureBridge build.

[ViktorV]

We have added an option to get information about errors in the TserverKeyExchanger.SyncKeyExchange method.

[tcaduto12068]

Hi,
Is there a way to figure out why the host key exchange is failing?
The error message now indicates why the auth failed but I don't have any idea on how to figure out why it's failing.

This client we have is using IBM Sterling File Gateway and their B2B integrator which is forwarding file to us via SFTP and they use the Java Maverick SSH/SFTP lib and it 's that library that is having the issue.

[ViktorV]

Please specify the exact error message.

[tcaduto12068]

exact error message is:
The host key signature is invalid

[tcaduto12068]

This is the SSH client lib I am having issues with:

https://www.jadaptive.com/en/products/java-ssh-client

The IBM Sterling File Gateway B2B integrator uses it to relay files to other servers.

When they relay about 43 files we get these host key signature errors on about 1/2 of them and end up with around 18 to 23 successful transfers to our Devart SFTP server.

When I test with Filezilla to our server I can send 100s of files with 10 concurrent connections with no host key errors at all so I don't know what is going on.

[tcaduto12068]

Looks like this is an issue with SecureBridge not working with the maverick Java SSH client.
When the IBM client sends a bunch of files at a time that's when we see the issue popup if they send one at a time in slow succession they connect and the files upload fine.

[ViktorV]

Could you please ask your client to compose and send us a client application that demonstrates the described behavior at https://devart.com/company/contactform.html so that we could research it?

[tcaduto12068]

It's a IBM product and they have the Maverick SSH client embedded into the Sterling FIle Gateway product B2B integrator which is a way to automate stuff when files come in.

The people that manage this have no knowledge of writing java console apps.

Would the max startups have anything to do with this error?(I have it set at 50) We get the error even on just 10 files sent from them.

Is there a spot where I could put some logging into the code to try and figure out what is going on? I have the source edition.

When we changed their job to point to a Open SSH server on Ubuntu it worked with no host key errors.

[ViktorV]

Please follow these steps and let us know if the issue still occurs:
- replace the string

Code: Select all

Result := RSA_SHA256_TYPE_HEADER + ',' + RSA_SHA512_TYPE_HEADER + ',' + RSA_TYPE_HEADER;

with

Code: Select all

Result := RSA_TYPE_HEADER; 

in the class function CipherFactory.PublicKeyAlgorithmToSSH2ListName(Algorithm: TScAsymmetricAlgorithm): string; method.

- set the TScSSHClient.HostKeyAlgorithms.AsString property to 'rsa'. Example:

Code: Select all

ScSSHClient.HostKeyAlgorithms.AsString := 'rsa';

[tcaduto12068]

Hi Viktor,
That code seems to be for the Sbridge SSH client.

We are having issues with a 3rd party java client connecting to the Securebridge sftp server and the host keys failing.
Wouldn't that be happening before public key authentication?

The error we get I think is being raised in line 399 of ScSSH2ServerConnection

in particular this:

repeat
Res := SendAuthenticationResponse;
Inc(Count);
until (Res <> arFailure) or (Count >= 4);

I don't know if it's failing because the count is greater than 4 or if it really is failing.

What would happen if I increased the count to like 10?

[ViktorV]

- set the TScSSHClient.HostKeyAlgorithms.AsString property to 'rsa'. Example:

Code: Select all

ScSSHClient.HostKeyAlgorithms.AsString := 'rsa';

Sorry for the inaccuracy in the previous post.
- set the TScSSHServer.HostKeyAlgorithms property to 'rsa'. Example:

Code: Select all

  ScSSHServer.HostKeyAlgorithms := [aaRSA];

[tcaduto12068]

Viktor,
None of this had any effect.
If the files are sent and then relayed from the IBM system one at a time we don't get the error.
It only happens when they send files to the Sbridge server really fast.
Is it possible the key exchange is picking up a extra byte or something from a buffer over flow or something like that?

We did determine that the version of Sterling File Gateway they have installed is using a very old version of the Maverick Java SSH/SFTP library. Version 1.4.67 to be exact and they have a patch that will update it to 1.4.69 but they can't install it because of corporate change policy until June 4th

[ViktorV]

Unfortunately, we can't reproduce the issue.
The issue may stem from an old version of the Maverick Java SSH/SFTP library rather than our code. We would suggest waiting till June 4 so that your client could update their Maverick Java SSH/SFTP library and check whether the issue still occurs.