Ticket #36059

Can not login with SHHSH to ONE device

Open Date: 2016-02-25 17:06 Last Update: 2016-08-22 20:51

Reporter:
Owner:
(None)
Status:
Closed
Component:
Priority:
5 - Medium
Severity:
5 - Medium
Resolution:
None
File:
1
Vote
Score: 0
No votes
0.0% (0/0)
0.0% (0/0)

Details

Hi

I have until now used v4.86 but have today installed v4.86 on my new PC. I have had the same problem with v4.86 as well. I can log on to all my firewalls, but not one. The error message I get is: "type mismatch for decoded server_hos_key_blob (Kex:ecdsa-sha2-nistp256 blob:ecdsa-sha2-nistp384) @ handle_SSH_dh_gex_reply"

My other Sonicwall firewalls are working fine. I have managed to connect to the "bad" firewall using another SSH program.

I also have contacted Sonicwall support and they think there must be a problem in the program.

What can I do to sort out if it is "Tera Term" causing the problem? Do you want a packet trace of the communication?

I am not sure if that should have been submitted as a Bug report - I thought it maybe is the be best option to first conclude that the problem really is by Tera Term.

Have a nice day.

Thanks in advance

Ticket History (3/11 Histories)

2016-02-25 17:06 Updated by: farpet
  • New Ticket "Can not login with SHHSH to ONE device" created
2016-02-25 17:33 Updated by: (del#1144)
Comment

Hi,

Could you please let us know how negotiate Tera Term and the firewall.

Please set LogLevel=100 in TERATERM.INI and try to connect, show us log file "TTSSH.log."

2016-03-08 16:52 Updated by: farpet
Comment

Hi

I replied to your e-mail 25.02.2016 with the requested file, but it looks like it has not been added to this case. I will attached here and hopefully you can find the reason for the problem.

Thanks in advance

2016-03-08 17:39 Updated by: (del#1144)
Comment

Thank you for your cooperation and log file.

Tera Term (TTSSH) seems not have a problem.

WORKAROUND:

Change the order of HostKey, move the ecdsa-sha2-nistp384 before the ecdsa-sha2-nistp256.

ecdsa-sha2-nistp384
ecdsa-sha2-nistp256
ecdsa-sha2-nistp521
...

Detail:

LOG shows

client proposal: server host key algorithm: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss
server proposal: server host key algorithm: ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

TTSSH parses above proposals as 'ecdsa-sha2-nistp256.'

This behavior is correct. But peer side (server side) parses as 'ecdsa-sha2-nistp384.'

type mismatch for decoded server_host_key_blob (kex:ecdsa-sha2-nistp256 blob:ecdsa-sha2-nistp384) @ handle_SSH2_dh_gex_reply
2016-03-08 19:59 Updated by: farpet
Comment

Hi and thanks for your fast reply.

Can you please tell me where I can do the workaround. - Change the order of HostKey. Where is the "ecdsa-sha2-nistp384 ...." stored?

2016-03-08 20:03 Updated by: (del#1144)
Comment

Menu Setup->SSH->HostKey order.

2016-03-08 20:05 Updated by: (del#1144)
Comment

To keep this config, please save setup from menu "Setup"->"Save setup"

2016-03-09 21:50 Updated by: farpet
Comment

Hi

Thanks for your answer and now it looks much better. Do you think this is a problem related to the firewall - that means - should I report that as an error to the firewall developer?

Another question: Is it possible to move all the config files either to the users directory %userprofile%\AppData\Local\Tereterm or to the ProgramData folder in c:\ProgramData\terraterm? As I am not running as local admin, I don't have (when logged in as me) permission to update ex. ssh_known_hosts?

Thanks a lot for helping.

2016-05-31 23:02 Updated by: (del#1144)
2016-08-22 20:51 Updated by: (del#1144)
  • Status Update from Open to Closed
  • Ticket Close date is changed to 2016-08-22 20:51
Comment

Do you think this is a problem related to the firewall - that means - should I report that as an error to the firewall developer?

Yes.

move all the config files either to the users directory

new ticket #36575

Attachment File List

  • TTSSH.LOG(4KB)
    • the requested file - TTSSH.LOG

Edit

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » Login