Archived Forum Post

Index of archived forum posts

Question:

sftp fails after connect with DSS signature verification failure

Nov 14 '15 at 14:39

I want to test the sftp component from Chilkat so i downloaded the chilkatPerl.ppd component for actve state perl today.
Trying the sample from Chilkat fails immediately after the connect.
It returns with DSS signature verification failure.
Can you point me to the right track about whats wrong?

d:\projects\sftp>perl sftp-sample.pl
ChilkatLog:
Connect_SFtp:
DllDate: Oct 30 2015
ChilkatVersion: 9.5.0.54
UnlockPrefix: Anything for 30-day trial
Username: KK-HOME:kk
Architecture: Little Endian; 64-bit
Language: Windows Perl
VerboseLogging: 0
SftpVersion: 0
hostname: 192.168.2.19
port: 22
sshConnect:
  Established TCP/IP connection with SSH server
  clientIdentifier: SSH-2.0-PuTTY_Release_0.63
  Sending client identifier...
  Done sending client identifier.
  Reading server version...
  initialDataFromSshServer: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2

  serverVersion: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
  KeyExchangeAlgs:
    algorithm: ecdh-sha2-nistp256
    algorithm: ecdh-sha2-nistp384
    algorithm: ecdh-sha2-nistp521
    algorithm: diffie-hellman-group-exchange-sha256
    algorithm: diffie-hellman-group-exchange-sha1
    algorithm: diffie-hellman-group14-sha1
    algorithm: diffie-hellman-group1-sha1
  --KeyExchangeAlgs
  HostKeyAlgs:
    algorithm: ssh-rsa
    algorithm: ssh-dss
    algorithm: ecdsa-sha2-nistp256
  --HostKeyAlgs
  EncCS:
    algorithm: aes128-ctr
    algorithm: aes192-ctr
    algorithm: aes256-ctr
    algorithm: arcfour256
    algorithm: arcfour128
    algorithm: aes128-cbc
    algorithm: 3des-cbc
    algorithm: blowfish-cbc
    algorithm: cast128-cbc
    algorithm: aes192-cbc
    algorithm: aes256-cbc
    algorithm: arcfour
    algorithm: rijndael-cbc@lysator.liu.se
  --EncCS
  EncSC:
    algorithm: aes128-ctr
    algorithm: aes192-ctr
    algorithm: aes256-ctr
    algorithm: arcfour256
    algorithm: arcfour128
    algorithm: aes128-cbc
    algorithm: 3des-cbc
    algorithm: blowfish-cbc
    algorithm: cast128-cbc
    algorithm: aes192-cbc
    algorithm: aes256-cbc
    algorithm: arcfour
    algorithm: rijndael-cbc@lysator.liu.se
  --EncSC
  MacCS:
    algorithm: hmac-md5
    algorithm: hmac-sha1
    algorithm: umac-64@openssh.com
    algorithm: hmac-sha2-256
    algorithm: hmac-sha2-256-96
    algorithm: hmac-sha2-512
    algorithm: hmac-sha2-512-96
    algorithm: hmac-ripemd160
    algorithm: hmac-ripemd160@openssh.com
    algorithm: hmac-sha1-96
    algorithm: hmac-md5-96
  --MacCS
  MacSC:
    algorithm: hmac-md5
    algorithm: hmac-sha1
    algorithm: umac-64@openssh.com
    algorithm: hmac-sha2-256
    algorithm: hmac-sha2-256-96
    algorithm: hmac-sha2-512
    algorithm: hmac-sha2-512-96
    algorithm: hmac-ripemd160
    algorithm: hmac-ripemd160@openssh.com
    algorithm: hmac-sha1-96
    algorithm: hmac-md5-96
  --MacSC
  CompCS:
    algorithm: none
    algorithm: zlib@openssh.com
  --CompCS
  CompSC:
    algorithm: none
    algorithm: zlib@openssh.com
  --CompSC
  ChosenIncomingEncryption: aes256-ctr
  ChosenOutgoingEncryptoin: aes256-ctr
  ChosenIncomingMac: hmac-sha2-256
  ChosenOutgoingMac: hmac-sha2-256
  ChosenIncomingCompression: zlib@openssh.com
  ChosenOutgoingCompression: zlib@openssh.com
  ChosenKexAlgorithm: diffie-hellman-group-exchange-sha256
  ChosenHostKeyAlgorithm: ssh-dss
  Received GEX Group.
  Using SHA256 for Key Exchange Hash
  DSS host key parsed successfully.
  dsaSigValid: 0
  dss_key: 0000 0007 7373 682D 6473 7300 0000 8100

F581 F25E 10EB 281B 53D8 5A05 DDE6 0508 8F17 6D74 DD53 6985 CB43 34BC A93D 964F D3AE 53E1 9FEC 031C 6E1F 04B9 2ABD 6807 1072 4FF9 D351 FCA5 63C7 179A 07B4 C08E 3E93 A407 D995 3A47 1E86 D69C A4E8 F15B 0ED9 A5F2 48B2 1410 3230 F50B F7FB 031E 58ED A1EE E65B 34CF C1AD 806F F2F4 B919 7C0E 6BC9 2718 466F 135D E927 2C08 49DD 0000 0015 00E9 446B 47F2 D087 12B3 5058 BB0F 1D60 7533 C11D 5D00 0000 8100 9F14 D4E3 A5E1 CE8A F884 3EA8 201B 9516 14C3 133A FC42 E5D2 6A7F 5319 9EAD B700 41C6 57E2 35CF 502B 3D66 0469 5BA8 7ABE 9A15 CB47 01A3 0ECF DC7B 55BF 195A 468F A135 7541 0293 092C 7B6C 98F1 10B0 735D 5BB4 7AC8 2548 86CB 3B99 C0E5 6597 7813 BC13 E9B5 B4A5 7E4E 6FBA 3D39 07A3 C4CF B93E 5340 ADE1 AD90 3AB7 A27D 46EE A0FE 0000 0080 50A5 C1C5 CA99 57E5 E779 AFEE 11C9 0D5F 430A 7760 CE4D 16F2 4491 88D1 C6C3 351D 101D D770 FF70 2B59 D9F7 3D9B B135 8019 F231 AE3C 5B85 A196 3482 2CCA 4E56 6E88 16B8 C4CF CC65 D4BD 94EF 235F B015 1579 94F4 6152 EC9D 6C26 73B6 8EE3 9013 39BE 06DD 2408 F6D5 E729 AB11 2C4E 253C BD44 AB11 1675 6A3A 041F A5E4 6112 C831 2BF0 sigH: 0000 0007 7373 682D 6473 7300 0000 2828 540C E71C ADD2 5E65 B8EE D6CC 0F53 DF0A 49A9 C09E 7CD0 69D2 105A DFD4 FF7D D8E0 6520 6304 666B BD exchangeHash: D6B4 EF47 D541 A12C 2D15 0A93 EDDA 1617 689F 93B8 D6A0 E88E 67AA 8547 1AB2 4012

  DSS signature verification failure. (1)
--sshConnect
Failed.

--Connect_SFtp --ChilkatLog


Accepted Answer

The new builds are available here: http://www.chilkatsoft.com/perl.asp (or you can re-install using ppm) If using ppm, make sure to remove the existing package first before re-installing.

Please let me know if you see any problems.


Answer

This was caused by a bug in the version of the MinGW gcc compiler used for Perl ( http://sourceforge.net/projects/perlmingw/files/Compiler%20for%2064%20bit%20Windows/ )

The problem has to do with the intrinsic _lrotl and _lrotr functions, which are used in the SHA1 computations on Win32 builds. These intrinsic functions are not used internally by Chilkat for non-Windows operating systems. The internal fix is to avoid using _lrotl/_lrotr and instead use #define's for the bit rotation operations.

Here are more details about the bug:
http://sourceforge.net/p/mingw-w64/mailman/message/32652852/

I'll post here when a new build has been uploaded.


Answer

I just downloaded the build 9.5.0.54. It works!
Many thanks for your efforts, i'm surprised for getting a bugfix over the weekend, that's great!
I'll go and get a commercial license for the company i work for.


Answer

That's very strange..

Try setting the sftp.HostKeyAlg = "RSA" (see http://www.chilkatsoft.com/refdoc/perlCkSFtpDoc.html#prop15 )

I'll try to reproduce the problem, but I suspect I won't be able to..


Answer

I did and tried RSA but this fails either with RSA signature verification failure. Please see the output below.

Interesting, I tried the ActiveX component and used the VB sample from Chilkat. This one works no problem!

I tried different SSH Server, all the same problem. Think it is easy to reproduce just use an recent Linux/Debian SSH Server.

d:\projects\>perl ssh-origsample-rsa.pl
ChilkatLog:
Connect_SFtp:
DllDate: Oct 30 2015
ChilkatVersion: 9.5.0.54
UnlockPrefix: Anything for 30-day trial
Username: KK-HOME:kk
Architecture: Little Endian; 64-bit
Language: Windows Perl
VerboseLogging: 0
SftpVersion: 0
hostname: mailtower.de
port: 22
sshConnect:
  Established TCP/IP connection with SSH server
  clientIdentifier: SSH-2.0-PuTTY_Release_0.63
  Sending client identifier...
  Done sending client identifier.
  Reading server version...
  initialDataFromSshServer: SSH-2.0-OpenSSH_6.7p1 Debian-5

  serverVersion: SSH-2.0-OpenSSH_6.7p1 Debian-5
  KeyExchangeAlgs:
    algorithm: curve25519-sha256@libssh.org
    algorithm: ecdh-sha2-nistp256
    algorithm: ecdh-sha2-nistp384
    algorithm: ecdh-sha2-nistp521
    algorithm: diffie-hellman-group-exchange-sha256
    algorithm: diffie-hellman-group14-sha1
  --KeyExchangeAlgs
  HostKeyAlgs:
    algorithm: ssh-rsa
    algorithm: ssh-dss
    algorithm: ecdsa-sha2-nistp256
    algorithm: ssh-ed25519
  --HostKeyAlgs
  EncCS:
    algorithm: aes128-ctr
    algorithm: aes192-ctr
    algorithm: aes256-ctr
    algorithm: aes128-gcm@openssh.com
    algorithm: aes256-gcm@openssh.com
    algorithm: chacha20-poly1305@openssh.com
  --EncCS
  EncSC:
    algorithm: aes128-ctr
    algorithm: aes192-ctr
    algorithm: aes256-ctr
    algorithm: aes128-gcm@openssh.com
    algorithm: aes256-gcm@openssh.com
    algorithm: chacha20-poly1305@openssh.com
  --EncSC
  MacCS:
    algorithm: umac-64-etm@openssh.com
    algorithm: umac-128-etm@openssh.com
    algorithm: hmac-sha2-256-etm@openssh.com
    algorithm: hmac-sha2-512-etm@openssh.com
    algorithm: hmac-sha1-etm@openssh.com
    algorithm: umac-64@openssh.com
    algorithm: umac-128@openssh.com
    algorithm: hmac-sha2-256
    algorithm: hmac-sha2-512
    algorithm: hmac-sha1
  --MacCS
  MacSC:
    algorithm: umac-64-etm@openssh.com
    algorithm: umac-128-etm@openssh.com
    algorithm: hmac-sha2-256-etm@openssh.com
    algorithm: hmac-sha2-512-etm@openssh.com
    algorithm: hmac-sha1-etm@openssh.com
    algorithm: umac-64@openssh.com
    algorithm: umac-128@openssh.com
    algorithm: hmac-sha2-256
    algorithm: hmac-sha2-512
    algorithm: hmac-sha1
  --MacSC
  CompCS:
    algorithm: none
    algorithm: zlib@openssh.com
  --CompCS
  CompSC:
    algorithm: none
    algorithm: zlib@openssh.com
  --CompSC
  ChosenIncomingEncryption: aes256-ctr
  ChosenOutgoingEncryptoin: aes256-ctr
  ChosenIncomingMac: hmac-sha2-256
  ChosenOutgoingMac: hmac-sha2-256
  ChosenIncomingCompression: zlib@openssh.com
  ChosenOutgoingCompression: zlib@openssh.com
  ChosenKexAlgorithm: diffie-hellman-group-exchange-sha256
  ChosenHostKeyAlgorithm: ssh-rsa
  Received GEX Group.
  Using SHA256 for Key Exchange Hash
  RSA host key parsed successfully.
  verifyHashSsh:
    Hashes do not match.
    hashLen: 20
    signatureXml: <sequence><sequence><oid>1.3.14.3.2.26</oid><null /></sequence><octets>TcWsKT6mdPUHFEtPmaWJLMXnoBo=</octets></sequence>
    HashAlgorithmOid: 1.3.14.3.2.26
  --verifyHashSsh
  HostKeyFailCode: 4
  RSA signature verification failure.
--sshConnect
Failed.

--Connect_SFtp --ChilkatLog


Answer

Thanks, I'll give it a test with ActiveState Perl on Windows. Assuming you're using Perl 5.20 or 5.22, then it means the native Perl module is compiled with MinGW (gcc 4.6.3). I wonder if it's some sort of compiler issue? If I can reproduce the problem, I'll see if compiling with lower optimization makes a difference..


Answer

I reproduced the error.. I'll rebuild and re-test...


Answer

I have download 9.5.0.54 Win32 and Win64 versions of the Perl modules and the test.pl is reporting 9.5.0.53 for both. Is there an issue with the packages?


Answer

Use the ppm install method and now showing 9.5.0.54. Note some install issues:

C:Tempchilkat-9.5.0-perl-5.22-x86-mingw32>ppm install http://www.chilkatsoft.c om/download/chilkatPerl.ppd Installing package 'http://www.chilkatsoft.com/download/chilkatPerl.ppd'... Bytes transferred: 6086585 Use of chdir('') or chdir(undef) as chdir() is deprecated at C:/Perl/perl/vendor /lib/PPM.pm line 393. Installing C:Perlperlsitelibchilkat.dll

C:Tempchilkat-9.5.0-perl-5.22-x86-mingw32>perl test.pl Version: 9.5.0.54