Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"5 Invalid MAC" when connecting to server www.sproom.net #741

Closed
runholen opened this issue Jan 9, 2025 · 4 comments
Closed

"5 Invalid MAC" when connecting to server www.sproom.net #741

runholen opened this issue Jan 9, 2025 · 4 comments

Comments

@runholen
Copy link

runholen commented Jan 9, 2025

We have recently upgraded to the 0.2-fork of jsch, and it worked for most of connections.
But a connection to one server, www.sproom.net does not work.
It only accepts ssh-rsa, so we have added the following:
session.setConfig("server_host_key", session.getConfig("server_host_key") + ",ssh-rsa");
session.setConfig("PubkeyAcceptedKeyTypes", "ssh-rsa," + session.getConfig("PubkeyAcceptedKeyTypes"));
This has solved the issue for other servers, but not this one. we get
1 SSH_MSG_NEWKEYS sent
1 SSH_MSG_NEWKEYS received
1 SSH_MSG_SERVICE_REQUEST sent
1 Disconnecting from www.sproom.net port 22
Exception in thread "main" com.jcraft.jsch.JSchSessionDisconnectException: SSH_MSG_DISCONNECT: 5 Invalid MAC
We then tried adding to our code
session.setConfig("mac.s2c", "hmac-sha1,"+session.getConfig("mac.s2c"));
But we then only get the following:
1 SSH_MSG_NEWKEYS sent
1 SSH_MSG_NEWKEYS received
1 SSH_MSG_SERVICE_REQUEST sent
4 Bad packet length 20
1 Disconnecting from www.sproom.net port 22
Exception in thread "main" com.jcraft.jsch.JSchException: Packet corrupt

What can we do to fix this issue for www.sproom.net ?
@norrisjeremy
Copy link
Contributor

Hi @runholen,

In order to provide you any assistance, we would need you to enable debug logging inside JSch and then provide a full copy of the JSch logs from a failed connection attempt.

Thanks,
Jeremy

@runholen
Copy link
Author

Hi. I use JSch.setLogger(new MyLogger());
Where MyLogger has the following methods, and therefore enables loggin for all levels:
public boolean isEnabled(int pLevel) {
return true; // here, all levels enabled
}
public void log(int pLevel, String pMessage) {
System.out.println(pLevel+" "+pMessage);
}
My test class is just like this:
JSch jsch = new JSch();
Session session = jsch.getSession(user, host, port);
java.util.Properties conf = new java.util.Properties();
conf.put("StrictHostKeyChecking", "no");
session.setConfig(conf);
session.setPassword(password);
session.setServerAliveInterval(30*1000);
session.setConfig("server_host_key", session.getConfig("server_host_key") + ",ssh-rsa");
session.setConfig("PubkeyAcceptedKeyTypes", "ssh-rsa," + session.getConfig("PubkeyAcceptedKeyTypes"));
JSch.setLogger(new MyLogger());
session.connect();
session.disconnect();

And here is the log output:

1 Connecting to www.sproom.net port 22
1 Connection established
1 Remote version string: SSH-2.0-SSH
1 Local version string: SSH-2.0-JSCH_0.2.21
1 CheckCiphers: [email protected]
1 CheckKexes: [email protected],curve25519-sha256,[email protected],curve448-sha512
1 [email protected] is not available.
1 curve25519-sha256 is not available.
1 [email protected] is not available.
1 curve448-sha512 is not available.
0 kex proposal before removing unavailable algos is: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
0 kex proposal after removing unavailable algos is: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
1 CheckSignatures: ssh-ed25519,ssh-ed448
1 ssh-ed25519 is not available.
1 ssh-ed448 is not available.
0 server_host_key proposal before removing unavailable algos is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0 server_host_key proposal after removing unavailable algos is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0 server_host_key proposal before known_host reordering is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0 server_host_key proposal after known_host reordering is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1 SSH_MSG_KEXINIT sent
1 SSH_MSG_KEXINIT received
1 server proposal: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
1 server proposal: host key algorithms: ssh-rsa
1 server proposal: ciphers c2s: 3des-cbc,blowfish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-cbc,arcfour,idea-cbc,cast128-cbc,none,des-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,blowfish-ctr,twofish128-ctr,twofish192-ctr,twofish256-ctr,serpent128-ctr,serpent192-ctr,serpent256-ctr,idea-ctr,cast128-ctr,arcfour128,arcfour256,aes128-gcm,aes256-gcm,[email protected],[email protected],chacha20-poly1305,[email protected]
1 server proposal: ciphers s2c: 3des-cbc,blowfish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-cbc,arcfour,idea-cbc,cast128-cbc,none,des-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,blowfish-ctr,twofish128-ctr,twofish192-ctr,twofish256-ctr,serpent128-ctr,serpent192-ctr,serpent256-ctr,idea-ctr,cast128-ctr,arcfour128,arcfour256,aes128-gcm,aes256-gcm,[email protected],[email protected],chacha20-poly1305,[email protected]
1 server proposal: MACs c2s: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none,hmac-ripemd160,hmac-ripemd,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,aes128-gcm,aes256-gcm,[email protected],[email protected],[email protected]
1 server proposal: MACs s2c: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none,hmac-ripemd160,hmac-ripemd,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,aes128-gcm,aes256-gcm,[email protected],[email protected],[email protected]
1 server proposal: compression c2s: none,zlib,[email protected]
1 server proposal: compression s2c: none,zlib,[email protected]
1 server proposal: languages c2s:
1 server proposal: languages s2c:
1 client proposal: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected]
1 client proposal: host key algorithms: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1 client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
1 client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
1 client proposal: MACs c2s: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
1 client proposal: MACs s2c: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
1 client proposal: compression c2s: none
1 client proposal: compression s2c: none
1 client proposal: languages c2s:
1 client proposal: languages s2c:
1 kex: algorithm: diffie-hellman-group-exchange-sha256
1 kex: host key algorithm: ssh-rsa
1 kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
1 kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
1 SSH_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
1 expecting SSH_MSG_KEX_DH_GEX_GROUP
1 SSH_MSG_KEX_DH_GEX_INIT sent
1 expecting SSH_MSG_KEX_DH_GEX_REPLY
1 ssh_rsa_verify: ssh-rsa signature true
2 Permanently added 'www.sproom.net' (RSA) to the list of known hosts.
1 SSH_MSG_NEWKEYS sent
1 SSH_MSG_NEWKEYS received
1 SSH_MSG_SERVICE_REQUEST sent
1 Disconnecting from www.sproom.net port 22
Exception in thread "main" com.jcraft.jsch.JSchSessionDisconnectException: SSH_MSG_DISCONNECT: 5 Invalid MAC
at com.jcraft.jsch.Session.read(Session.java:1316)
at com.jcraft.jsch.UserAuthNone.start(UserAuthNone.java:54)
at com.jcraft.jsch.Session.connect(Session.java:412)
at com.jcraft.jsch.Session.connect(Session.java:198)
at TestSproomConnection.main(TestSproomConnection.java:52)

If I add the follwing config line:
session.setConfig("mac.s2c", "hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,"+session.getConfig("mac.s2c"));
then the log is this:

1 Connecting to www.sproom.net port 22
1 Connection established
1 Remote version string: SSH-2.0-SSH
1 Local version string: SSH-2.0-JSCH_0.2.21
1 CheckCiphers: [email protected]
1 CheckKexes: [email protected],curve25519-sha256,[email protected],curve448-sha512
1 [email protected] is not available.
1 curve25519-sha256 is not available.
1 [email protected] is not available.
1 curve448-sha512 is not available.
0 kex proposal before removing unavailable algos is: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
0 kex proposal after removing unavailable algos is: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
1 CheckSignatures: ssh-ed25519,ssh-ed448
1 ssh-ed25519 is not available.
1 ssh-ed448 is not available.
0 server_host_key proposal before removing unavailable algos is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0 server_host_key proposal after removing unavailable algos is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0 server_host_key proposal before known_host reordering is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0 server_host_key proposal after known_host reordering is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1 SSH_MSG_KEXINIT sent
1 SSH_MSG_KEXINIT received
1 server proposal: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
1 server proposal: host key algorithms: ssh-rsa
1 server proposal: ciphers c2s: 3des-cbc,blowfish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-cbc,arcfour,idea-cbc,cast128-cbc,none,des-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,blowfish-ctr,twofish128-ctr,twofish192-ctr,twofish256-ctr,serpent128-ctr,serpent192-ctr,serpent256-ctr,idea-ctr,cast128-ctr,arcfour128,arcfour256,aes128-gcm,aes256-gcm,[email protected],[email protected],chacha20-poly1305,[email protected]
1 server proposal: ciphers s2c: 3des-cbc,blowfish-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,aes256-cbc,aes192-cbc,aes128-cbc,serpent256-cbc,serpent192-cbc,serpent128-cbc,arcfour,idea-cbc,cast128-cbc,none,des-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,blowfish-ctr,twofish128-ctr,twofish192-ctr,twofish256-ctr,serpent128-ctr,serpent192-ctr,serpent256-ctr,idea-ctr,cast128-ctr,arcfour128,arcfour256,aes128-gcm,aes256-gcm,[email protected],[email protected],chacha20-poly1305,[email protected]
1 server proposal: MACs c2s: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none,hmac-ripemd160,hmac-ripemd,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,aes128-gcm,aes256-gcm,[email protected],[email protected],[email protected]
1 server proposal: MACs s2c: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none,hmac-ripemd160,hmac-ripemd,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,aes128-gcm,aes256-gcm,[email protected],[email protected],[email protected]
1 server proposal: compression c2s: none,zlib,[email protected]
1 server proposal: compression s2c: none,zlib,[email protected]
1 server proposal: languages c2s:
1 server proposal: languages s2c:
1 client proposal: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected]
1 client proposal: host key algorithms: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1 client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
1 client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
1 client proposal: MACs c2s: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
1 client proposal: MACs s2c: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
1 client proposal: compression c2s: none
1 client proposal: compression s2c: none
1 client proposal: languages c2s:
1 client proposal: languages s2c:
1 kex: algorithm: diffie-hellman-group-exchange-sha256
1 kex: host key algorithm: ssh-rsa
1 kex: server->client cipher: aes128-ctr MAC: hmac-md5 compression: none
1 kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
1 SSH_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
1 expecting SSH_MSG_KEX_DH_GEX_GROUP
1 SSH_MSG_KEX_DH_GEX_INIT sent
1 expecting SSH_MSG_KEX_DH_GEX_REPLY
1 ssh_rsa_verify: ssh-rsa signature true
2 Permanently added 'www.sproom.net' (RSA) to the list of known hosts.
1 SSH_MSG_NEWKEYS sent
1 SSH_MSG_NEWKEYS received
1 SSH_MSG_SERVICE_REQUEST sent
4 Bad packet length 20
1 Disconnecting from www.sproom.net port 22
Exception in thread "main" com.jcraft.jsch.JSchException: Packet corrupt
at com.jcraft.jsch.Session.start_discard(Session.java:1421)
at com.jcraft.jsch.Session.read(Session.java:1257)
at com.jcraft.jsch.UserAuthNone.start(UserAuthNone.java:54)
at com.jcraft.jsch.Session.connect(Session.java:412)
at com.jcraft.jsch.Session.connect(Session.java:198)
at TestSproomConnection.main(TestSproomConnection.java:52)

@norrisjeremy
Copy link
Contributor

Hi @runholen,

In your logging output, I see that you are using different MACs for c2s vs s2c:

1 client proposal: MACs c2s: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
1 client proposal: MACs s2c: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
...
1 kex: server->client cipher: aes128-ctr MAC: hmac-md5 compression: none
1 kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none

If you change your code so that it sets the MACs identically for both directions like this, does it then work?

session.setConfig("mac.c2s", "hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,"+session.getConfig("mac.c2s"));
session.setConfig("mac.s2c", "hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,"+session.getConfig("mac.s2c"));

Thanks,
Jeremy

@runholen
Copy link
Author

Thank you very much, that did the trick.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@runholen @norrisjeremy