I am unable to connect to a server because of an error "signature verification failed"

Sure. <div class="highlight highlight-source-shell notranslate position-relative o

<div class="highlight highlight-source-js notranslate position-relative overflow-auto" dir="auto" da

Signature verification failed,about mscdex/ssh2-streams

Comments (21)

mscdex commented on June 30, 2024

Be aware that by disabling this check you are making yourself vulnerable to MITM attacks.

from ssh2-streams.

johndc7 commented on June 30, 2024

I am aware of this. Unfortunately, it seems my options are disable the check or it doesn't work at all.

Maybe it would be helpful to have an option to disable this and include a warning in the logs?

from ssh2-streams.

mscdex commented on June 30, 2024

I'd much rather try to solve the problem if possible rather than encourage bypassing a security check.

from ssh2-streams.

johndc7 commented on June 30, 2024

Sure. That's the best solution.

I can send you testing credentials for the server I'm having issues with if you like.

from ssh2-streams.

mscdex commented on June 30, 2024

Can you test with the master branch of ssh2 to see if the issue is still present there?

from ssh2-streams.

johndc7 commented on June 30, 2024

I tested with the master branch of ssh2 and I have the same problem. I did notice some errors when running npm install but I figured I would test anyways since it said it was an optional dependency.

C:\Users\John\Desktop\ssh2-test\ssh2>npm install

> [email protected] install C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features
> node-gyp rebuild


C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
  Configuring dependencies
  -- Building for: Visual Studio 14 2015
  -- Selecting Windows SDK version  to target Windows 10.0.18363.
  -- The C compiler identification is MSVC 19.0.24210.0
  -- Detecting C compiler ABI info
  -- Detecting C compiler ABI info - done
  -- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/x86_amd64/cl.exe - skippe
  d
  -- Detecting C compile features
  -- Detecting C compile features - done
  -- Configuring done
  -- Generating done
  -- Build files have been written to: C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features
  /build
  Building dependencies
  Microsoft (R) Build Engine version 14.0.25420.1
  Copyright (C) Microsoft Corporation. All rights reserved.

    Checking Build System
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
    filesystem.c
    stack_line_reader.c
    string_view.c
    Generating Code...
    utils.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build\utils.dir\R
  elease\utils.lib
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
    cpuinfo_x86.c
    cpu_features.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build\Rele
  ase\cpu_features.lib
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
    list_cpu_features.c
c:\users\john\desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\src\utils\list_cpu_features.c(343): wa
rning C4715: 'GetCacheTypeString': not all control paths return a value [C:\Users\John\Desktop\ssh2-test\ssh2\node_modu
les\cpu-features\deps\cpu_features\build\list_cpu_features.vcxproj] [C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\
cpu-features\build\build_deps.vcxproj]
    list_cpu_features.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build
  \Release\list_cpu_features.exe
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
  binding.cc
  win_delay_load_hook.cc
     Creating library C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.lib and
  object C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.exp
LINK : warning LNK4098: defaultlib 'MSVCRT' conflicts with use of other libs; use /NODEFAULTLIB:library [C:\Users\John\
Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\cpufeatures.vcxproj]
  cpufeatures.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\\cpufeatures.node
  cpufeatures.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.pdb (
  Full PDB)

> [email protected] install C:\Users\John\Desktop\ssh2-test\ssh2
> node install.js


C:\Users\John\Desktop\ssh2-test\ssh2\lib\protocol\crypto>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" --target=v14.15.4 rebuild )  else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" --target=v14.15.4 rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
  binding.cc
  win_delay_load_hook.cc
..\src\binding.cc(1718): error C2131: expression did not evaluate to a constant [C:\Users\John\Desktop\ssh2-test\ssh2\l
ib\protocol\crypto\build\sshcrypto.vcxproj]
  ..\src\binding.cc(1718): note: failure was caused by non-constant arguments or reference to a non-constant symbol
  ..\src\binding.cc(1718): note: see usage of 'this'
gyp ERR! build error
gyp ERR! stack Error: `C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onExit (C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\build.js:194:23)
gyp ERR! stack     at ChildProcess.emit (events.js:315:20)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:277:12)
gyp ERR! System Windows_NT 10.0.18363
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "--target=v14.15.4" "rebuild"
gyp ERR! cwd C:\Users\John\Desktop\ssh2-test\ssh2\lib\protocol\crypto
gyp ERR! node -v v14.15.4
gyp ERR! node-gyp -v v5.1.0
gyp ERR! not ok
Failed to build optional crypto binding
npm WARN [email protected] No license field.

added 1 package from 1 contributor and audited 7 packages in 22.723s
found 0 vulnerabilities

from ssh2-streams.

mscdex commented on June 30, 2024

Can you set debug: console.log in the connection config object with the master branch of ssh2 and post the resulting output?

from ssh2-streams.

johndc7 commented on June 30, 2024

Sure.

09:32:53.345 > Custom crypto binding not available
09:32:53.576 > Client: Trying ecportal.dhl-usa.com on port 22 ...
09:32:55.133 > Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
09:32:55.832 > Socket connected
09:32:56.063 > Remote ident: 'SSH-2.0-IBM Sterling Connect:Enterprise for UNIX2.5.0'
09:32:56.219 > Outbound: Sending KEXINIT
09:32:56.332 > Inbound: Handshake in progress
09:32:56.439 > Handshake: (local) KEX method: diffie-hellman-group1-sha1
09:32:56.538 > Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
09:32:56.652 > Handshake: KEX algorithm: diffie-hellman-group1-sha1
09:32:56.753 > Handshake: (local) Host key format: ssh-dss
09:32:56.855 > Handshake: (remote) Host key format: ssh-dss
09:32:56.958 > Handshake: Host key format: ssh-dss
09:32:57.042 > Handshake: (local) C->S cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
09:32:57.136 > Handshake: (remote) C->S cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
09:32:57.248 > Handshake: C->S Cipher: 3des-cbc
09:32:57.455 > Handshake: (local) S->C cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
09:32:57.659 > Handshake: (remote) S->C cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
09:32:57.835 > Handshake: S->C cipher: 3des-cbc
09:32:58.037 > Handshake: (local) C->S MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.216 > Handshake: (remote) C->S MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.418 > Handshake: C->S MAC: hmac-sha1
09:32:58.590 > Handshake: (local) S->C MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.824 > Handshake: (remote) S->C MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:59.031 > Handshake: S->C MAC: hmac-sha1
09:32:59.213 > Handshake: (local) C->S compression: none,[email protected],zlib
09:32:59.424 > Handshake: (remote) C->S compression: none,zlib
09:32:59.624 > Handshake: C->S compression: none
09:32:59.774 > Handshake: (local) S->C compression: none,[email protected],zlib
09:32:59.991 > Handshake: (remote) S->C compression: none,zlib
09:33:00.204 > Handshake: S->C compression: none
09:33:00.407 > Outbound: Sending KEXDH_INIT
09:33:01.267 > Host accepted by default (no verification)
09:33:01.406 > Host accepted (verified)
09:33:01.552 > Inbound: NEWKEYS
09:33:01.753 > Verifying signature ...
09:33:01.965 > Signature verification failed: Error: error:06000080:public key routines:OPENSSL_internal:UNSUPPORTED_ALGORITHM
    at verifyOneShot (internal/crypto/sig.js:219:10)
    at OpenSSH_Public.verify (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\keyParser.js:405:18)
    at DHExchange.finish (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:669:40)
    at DHExchange.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1220:25)
    at Protocol.onKEXPayload (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1764:20)
    at NullDecipher.decrypt (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\crypto.js:617:26)
    at Protocol.parsePacket [as _parse] (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:1938:25)
    at Protocol.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:287:16)
    at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:645:15)
    at Socket.emit (events.js:315:20)
09:33:02.145 > Outbound: Sending DISCONNECT (3)
09:33:04.825 > Socket ended
09:33:05.059 > Socket closed

from ssh2-streams.

mscdex commented on June 30, 2024

What does console.log(process.versions) show?

from ssh2-streams.

johndc7 commented on June 30, 2024

{
  node: '12.18.3',
  v8: '8.7.220.31-electron.0',
  uv: '1.38.0',
  zlib: '1.2.11',
  brotli: '1.0.7',
  ares: '1.16.0',
  modules: '85',
  nghttp2: '1.41.0',
  napi: '6',
  llhttp: '2.0.4',
  http_parser: '2.9.3',
  openssl: '1.1.1',
  icu: '67.1',
  unicode: '13.0',
  electron: '11.2.3',
  chrome: '87.0.4280.141'
}

from ssh2-streams.

mscdex commented on June 30, 2024

Can you try with plain node v12.18.3? I believe Electron uses their own SSL library (BoringSSL I believe) which causes issues sometimes. It could be that host's public key size is too small and is thus not supported by the SSL library for security reasons.

from ssh2-streams.

mscdex commented on June 30, 2024

Additionally, it could be that BoringSSL flat out doesn't support DSA host keys any longer.

from ssh2-streams.

johndc7 commented on June 30, 2024

It interesting that using electron changes the node version. I knew I was using something newer than v12.18.3...

{
  node: '14.15.4',
  v8: '8.4.371.19-node.17',
  uv: '1.40.0',
  zlib: '1.2.11',
  brotli: '1.0.9',
  ares: '1.16.1',
  modules: '83',
  nghttp2: '1.41.0',
  napi: '7',
  llhttp: '2.1.3',
  openssl: '1.1.1i',
  cldr: '37.0',
  icu: '67.1',
  tz: '2020a',
  unicode: '13.0'
}

Here are the logs:

Custom crypto binding not available
Client: Trying ecportal.dhl-usa.com on port 22 ...
Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
Socket connected
Remote ident: 'SSH-2.0-IBM Sterling Connect:Enterprise for UNIX2.5.0'
Outbound: Sending KEXINIT
Inbound: Handshake in progress
Handshake: (local) KEX method: diffie-hellman-group1-sha1
Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Handshake: KEX algorithm: diffie-hellman-group1-sha1
Handshake: (local) Host key format: ssh-dss
Handshake: (remote) Host key format: ssh-dss
Handshake: Host key format: ssh-dss
Handshake: (local) C->S cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
Handshake: (remote) C->S cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Handshake: C->S Cipher: 3des-cbc
Handshake: (local) S->C cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
Handshake: (remote) S->C cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Handshake: S->C cipher: 3des-cbc
Handshake: (local) C->S MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: (remote) C->S MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: C->S MAC: hmac-sha1
Handshake: (local) S->C MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: (remote) S->C MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: S->C MAC: hmac-sha1
Handshake: (local) C->S compression: none,[email protected],zlib
Handshake: (remote) C->S compression: none,zlib
Handshake: C->S compression: none
Handshake: (local) S->C compression: none,[email protected],zlib
Handshake: (remote) S->C compression: none,zlib
Handshake: S->C compression: none
Outbound: Sending KEXDH_INIT
Host accepted by default (no verification)
Host accepted (verified)
Inbound: NEWKEYS
Verifying signature ...
Signature verification failed
Outbound: Sending DISCONNECT (3)
events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: Handshake failed: signature verification failed
    at makeError (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\utils.js:142:15)
    at doFatalError (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\utils.js:184:13)
    at DHExchange.finish (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:680:18)
    at DHExchange.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1220:25)
    at Protocol.onKEXPayload (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1764:20)
    at NullDecipher.decrypt (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\crypto.js:617:26)
    at Protocol.parsePacket [as _parse] (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:1938:25)
    at Protocol.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:287:16)
    at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:645:15)
    at Socket.emit (events.js:315:20)
Emitted 'error' event on Client instance at:
    at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:647:14)
    at Socket.emit (events.js:315:20)
    at addChunk (internal/streams/readable.js:309:12)
    at readableAddChunk (internal/streams/readable.js:284:9)
    at Socket.Readable.push (internal/streams/readable.js:223:10)
    at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
  level: 'handshake',
  fatal: true
}

from ssh2-streams.

johndc7 commented on June 30, 2024

Any thoughts on this?

from ssh2-streams.

mscdex commented on June 30, 2024

I haven't found the cause yet. The signature seems to be valid and accepted by OpenSSL, it's just that the signature fails to be verified for some reason.

from ssh2-streams.

mscdex commented on June 30, 2024

Can you verify that everything works with ssh2 v0.8.x instead of the master branch? I suspect there is some regression after the rewrite.

from ssh2-streams.

mscdex commented on June 30, 2024

I've found the bug in ssh2 master, working on a fix....

from ssh2-streams.

mscdex commented on June 30, 2024

Ok, the fix should be in ssh2's master branch now. Let me know if it works for you.

from ssh2-streams.

johndc7 commented on June 30, 2024

It seems like it works now. Thanks for your help.

from ssh2-streams.

johndc7 commented on June 30, 2024

I might have spoke too soon. It doesn't work in electron but I don't think this is an ssh2 problem. As you said:

Additionally, it could be that BoringSSL flat out doesn't support DSA host keys any longer.

This is the error I get:
Signature verification failed: Error: error:06000080:public key routines:OPENSSL_internal:UNSUPPORTED_ALGORITHM

Any ideas?

from ssh2-streams.

mscdex commented on June 30, 2024

I can't really help there, as it's beyond the scope of this project. Curiously though, as far as I can tell BoringSSL does still contain support for both DSA and SHA1, so I'm not quite sure why Electron doesn't support it unless they are explicitly disabling specific legacy algorithms in one way or another.

from ssh2-streams.

Signature verification failed about ssh2-streams HOT 21 CLOSED

Comments (21)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent