[
https://issues.apache.org/jira/browse/GUACAMOLE-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17309613#comment-17309613
]
Mike Jumper commented on GUACAMOLE-1315:
----------------------------------------
Are you able to enable verbose logging on the SSH server in question? That
might reveal what is failing within the SSH handshake.
It might be possible to get some additional error details from the libssh2
library through minor changes to Guacamole's SSH support, though I doubt it is
possible to get information approaching the sheer verbosity of OpenSSH. The
complexity of SSH logged there is largely abstracted away by libssh2.
> SSH Handshake failed in verbose logging
> ---------------------------------------
>
> Key: GUACAMOLE-1315
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1315
> Project: Guacamole
> Issue Type: Bug
> Components: guacd, guacd-docker
> Affects Versions: 1.3.0
> Environment: Docker version 19.03.12, build 48a66213fe on Ubuntu
> 20.04.2 LTS 5.4.0-67-generic #75-Ubuntu SMP Fri Feb 19 18:03:38 UTC 2021
> Reporter: Adyanth H
> Priority: Major
>
> I am trying to connect to an appliance (Cisco FirePower Management Center)
> using guacd but getting the below error in the logs:
> {code:java}
> guacd_1 | guacd[6]: INFO: Creating new client for protocol "ssh"
> guacd_1 | guacd[6]: INFO: Connection ID is
> "$5cb571ab-7aeb-41ce-a927-c1c7372e1cf1"
> guacd_1 | guacd[19]: DEBUG: Processing instruction: size
> guacd_1 | guacd[19]: DEBUG: Processing instruction: audio
> guacd_1 | guacd[19]: DEBUG: Processing instruction: video
> guacd_1 | guacd[19]: DEBUG: Processing instruction: image
> guacd_1 | guacd[19]: DEBUG: Processing instruction: timezone
> guacd_1 | guacd[19]: DEBUG: Parameter "font-name" omitted. Using default
> value of "monospace".
> guacd_1 | guacd[19]: DEBUG: Parameter "font-size" omitted. Using default
> value of 12.
> guacd_1 | guacd[19]: DEBUG: Parameter "color-scheme" omitted. Using default
> value of "".
> guacd_1 | guacd[19]: DEBUG: Parameter "enable-sftp" omitted. Using default
> value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "sftp-root-directory" omitted. Using
> default value of "/".
> guacd_1 | guacd[19]: DEBUG: Parameter "sftp-disable-download" omitted. Using
> default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "sftp-disable-upload" omitted. Using
> default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "port" omitted. Using default value of
> "22".
> guacd_1 | guacd[19]: DEBUG: Parameter "read-only" omitted. Using default
> value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "typescript-name" omitted. Using
> default value of "typescript".
> guacd_1 | guacd[19]: DEBUG: Parameter "create-typescript-path" omitted.
> Using default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "recording-name" omitted. Using
> default value of "recording".
> guacd_1 | guacd[19]: DEBUG: Parameter "recording-exclude-output" omitted.
> Using default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "recording-exclude-mouse" omitted.
> Using default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "recording-include-keys" omitted.
> Using default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "create-recording-path" omitted. Using
> default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "server-alive-interval" omitted. Using
> default value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "backspace" omitted. Using default
> value of 127.
> guacd_1 | guacd[19]: DEBUG: Parameter "terminal-type" omitted. Using default
> value of "linux".
> guacd_1 | guacd[19]: DEBUG: Parameter "timezone" omitted. Using default
> value of "Asia/Calcutta".
> guacd_1 | guacd[19]: DEBUG: Parameter "disable-copy" omitted. Using default
> value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "disable-paste" omitted. Using default
> value of 0.
> guacd_1 | guacd[19]: DEBUG: Parameter "wol-send-packet" omitted. Using
> default value of 0.
> guacd_1 | guacd[19]: INFO: User "@62181b81-346d-4cfb-b185-b402c228485e"
> joined connection "$5cb571ab-7aeb-41ce-a927-c1c7372e1cf1" (1 users now
> present)
> guacd_1 | guacd[19]: DEBUG: Client is using protocol version "VERSION_1_3_0"
> guacd_1 | guacd[19]: DEBUG: Successfully connected to host 10.106.107.228,
> port 22
> guacd_1 | guacd[19]: ERROR: SSH handshake failed.
> guacd_1 | guacd[19]: INFO: User "@62181b81-346d-4cfb-b185-b402c228485e"
> disconnected (0 users remain)
> guacd_1 | guacd[19]: INFO: Last user of connection
> "$5cb571ab-7aeb-41ce-a927-c1c7372e1cf1" disconnected
> guacd_1 | guacd[19]: DEBUG: Requesting termination of client...
> guacd_1 | guacd[19]: DEBUG: Client terminated successfully.
> guacd_1 | guacd[6]: INFO: Connection "$5cb571ab-7aeb-41ce-a927-c1c7372e1cf1"
> removed.
> {code}
>
> Guacd version:
> {code:java}
> adyanth@ubuntu-server:~/rd-gateway$ docker image ls | grep guacd
> guacamole/guacd latest
> 20e0b499517f 2 months ago 270MB
> adyanth@ubuntu-server:~/rd-gateway$
> {code}
> Here is the sshd_config from the server:
> {code}
> admin@fmc:~$ grep '^[^#]' /etc/ssh/sshd_config
> Ciphers
> [email protected],[email protected],aes256-ctr,aes128-ctr,aes192-ctr
> MACs
> hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
> KexAlgorithms
> [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
> LoginGraceTime 60
> PermitRootLogin no
> UsePAM yes
> X11Forwarding no
> PermitUserEnvironment no
> GatewayPorts no
> PermitTunnel no
> MaxSessions 1
> StrictModes yes
> Compression delayed
> Banner /etc/issue
> Subsystem sftp /usr/libexec/sftp-server
> AllowTcpForwarding no
> UseDNS yes
> MaxAuthTries 3
> {code}
> {code}
> admin@fmc:~$ grep admin /etc/passwd
> admin:x:100:100::/Volume/home/admin:/usr/bin/clish
> {code}
>
> To the same server from the docker host with verbose ssh logging:
> {code:java}
> adyanth@ubuntu-server:~/rd-gateway$ ssh [email protected] -vvvv
> OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
> debug1: Reading configuration data /home/adyanth/.ssh/config
> debug3: kex names ok: [diffie-hellman-group1-sha1]
> debug3: kex names ok: [diffie-hellman-group1-sha1]
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
> matched no files
> debug1: /etc/ssh/ssh_config line 21: Applying options for *
> debug2: resolve_canonicalize: hostname 10.106.107.228 is address
> debug2: ssh_connect_direct
> debug1: Connecting to 10.106.107.228 [10.106.107.228] port 22.
> debug1: Connection established.
> debug1: identity file /home/adyanth/.ssh/id_rsa type 0
> debug1: identity file /home/adyanth/.ssh/id_rsa-cert type -1
> debug1: identity file /home/adyanth/.ssh/id_dsa type -1
> debug1: identity file /home/adyanth/.ssh/id_dsa-cert type -1
> debug1: identity file /home/adyanth/.ssh/id_ecdsa type -1
> debug1: identity file /home/adyanth/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/adyanth/.ssh/id_ecdsa_sk type -1
> debug1: identity file /home/adyanth/.ssh/id_ecdsa_sk-cert type -1
> debug1: identity file /home/adyanth/.ssh/id_ed25519 type -1
> debug1: identity file /home/adyanth/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/adyanth/.ssh/id_ed25519_sk type -1
> debug1: identity file /home/adyanth/.ssh/id_ed25519_sk-cert type -1
> debug1: identity file /home/adyanth/.ssh/id_xmss type -1
> debug1: identity file /home/adyanth/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6
> PKIX[11.0]
> debug1: match: OpenSSH_7.6 PKIX[11.0] pat
> OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7*
> compat 0x04000002
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 10.106.107.228:22 as 'admin'
> debug3: hostkeys_foreach: reading file "/home/adyanth/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file
> /home/adyanth/.ssh/known_hosts:12
> debug3: load_hostkeys: loaded 1 keys from 10.106.107.228
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> debug2: host key algorithms:
> [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: ciphers stoc:
> [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
> debug2: MACs ctos:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc:
> [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected],zlib
> debug2: compression stoc: none,[email protected],zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms:
> [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
> debug2: host key algorithms:
> ssh-rsa,rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ssh-ed25519
> debug2: ciphers ctos:
> [email protected],[email protected],aes256-ctr,aes128-ctr,aes192-ctr
> debug2: ciphers stoc:
> [email protected],[email protected],aes256-ctr,aes128-ctr,aes192-ctr
> debug2: MACs ctos:
> hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
> debug2: MACs stoc:
> hmac-sha2-256,hmac-sha2-512,[email protected],[email protected]
> debug2: compression ctos: none,[email protected]
> debug2: compression stoc: none,[email protected]
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: [email protected]
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: aes128-ctr MAC:
> [email protected] compression: none
> debug1: kex: client->server cipher: aes128-ctr MAC:
> [email protected] compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:GcsfTKMXDuEEdk3gC5twdz9Ncwt7sJtWKYPl/7bkT+0
> debug3: hostkeys_foreach: reading file "/home/adyanth/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file
> /home/adyanth/.ssh/known_hosts:12
> debug3: load_hostkeys: loaded 1 keys from 10.106.107.228
> debug1: Host '10.106.107.228' is known and matches the ECDSA host key.
> debug1: Found key in /home/adyanth/.ssh/known_hosts:12
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey out after 4294967296 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: receive packet: type 21
> debug1: SSH2_MSG_NEWKEYS received
> debug2: set_newkeys: mode 0
> debug1: rekey in after 4294967296 blocks
> debug1: Will attempt key: /home/adyanth/.ssh/id_rsa RSA
> SHA256:K57sMyb6omTQ5pHD8XG03vzaQwMeOrMueJe03KhtBUA
> debug1: Will attempt key: /home/adyanth/.ssh/id_dsa
> debug1: Will attempt key: /home/adyanth/.ssh/id_ecdsa
> debug1: Will attempt key: /home/adyanth/.ssh/id_ecdsa_sk
> debug1: Will attempt key: /home/adyanth/.ssh/id_ed25519
> debug1: Will attempt key: /home/adyanth/.ssh/id_ed25519_sk
> debug1: Will attempt key: /home/adyanth/.ssh/id_xmss
> debug2: pubkey_prepare: done
> debug3: send packet: type 5
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/adyanth/.ssh/id_rsa RSA
> SHA256:K57sMyb6omTQ5pHD8XG03vzaQwMeOrMueJe03KhtBUA
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Trying private key: /home/adyanth/.ssh/id_dsa
> debug3: no such identity: /home/adyanth/.ssh/id_dsa: No such file or directory
> debug1: Trying private key: /home/adyanth/.ssh/id_ecdsa
> debug3: no such identity: /home/adyanth/.ssh/id_ecdsa: No such file or
> directory
> debug1: Trying private key: /home/adyanth/.ssh/id_ecdsa_sk
> debug3: no such identity: /home/adyanth/.ssh/id_ecdsa_sk: No such file or
> directory
> debug1: Trying private key: /home/adyanth/.ssh/id_ed25519
> debug3: no such identity: /home/adyanth/.ssh/id_ed25519: No such file or
> directory
> debug1: Trying private key: /home/adyanth/.ssh/id_ed25519_sk
> debug3: no such identity: /home/adyanth/.ssh/id_ed25519_sk: No such file or
> directory
> debug1: Trying private key: /home/adyanth/.ssh/id_xmss
> debug3: no such identity: /home/adyanth/.ssh/id_xmss: No such file or
> directory
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug3: send packet: type 50
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug3: receive packet: type 60
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: send packet: type 61
> debug3: receive packet: type 60
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 0
> debug3: send packet: type 61
> debug3: receive packet: type 52
> debug1: Authentication succeeded (keyboard-interactive).
> Authenticated to 10.106.107.228 ([10.106.107.228]:22).
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug3: send packet: type 90
> debug1: Requesting [email protected]
> debug3: send packet: type 80
> debug1: Entering interactive session.
> debug1: pledge: exec
> debug3: receive packet: type 80
> debug1: client_input_global_request: rtype [email protected] want_reply > 0
> debug3: receive packet: type 91
> debug2: channel_input_open_confirmation: channel 0: callback start
> debug1: X11 forwarding requested but DISPLAY not set
> debug2: fd 3 setting TCP_NODELAY
> debug3: ssh_packet_set_tos: set IP_TOS 0x10
> debug2: client_session2_setup: id 0
> debug2: channel 0: request pty-req confirm 1
> debug3: send packet: type 98
> debug1: Sending environment.
> debug3: Ignored env SHELL
> debug3: Ignored env NVM_INC
> debug3: Ignored env PWD
> debug3: Ignored env LOGNAME
> debug3: Ignored env XDG_SESSION_TYPE
> debug3: Ignored env MOTD_SHOWN
> debug3: Ignored env HOME
> debug1: Sending env LANG = en_US.UTF-8
> debug2: channel 0: request env confirm 0
> debug3: send packet: type 98
> debug3: Ignored env LS_COLORS
> debug3: Ignored env AUTOSSH_PORT
> debug3: Ignored env SSH_CONNECTION
> debug3: Ignored env NVM_DIR
> debug3: Ignored env LESSCLOSE
> debug3: Ignored env XDG_SESSION_CLASS
> debug3: Ignored env TERM
> debug3: Ignored env LESSOPEN
> debug3: Ignored env USER
> debug3: Ignored env SHLVL
> debug3: Ignored env NVM_CD_FLAGS
> debug3: Ignored env XDG_SESSION_ID
> debug3: Ignored env XDG_RUNTIME_DIR
> debug3: Ignored env SSH_CLIENT
> debug3: Ignored env XDG_DATA_DIRS
> debug3: Ignored env PATH
> debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
> debug3: Ignored env NVM_BIN
> debug3: Ignored env SSH_TTY
> debug3: Ignored env OLDPWD
> debug3: Ignored env _
> debug2: channel 0: request shell confirm 1
> debug3: send packet: type 98
> debug2: channel_input_open_confirmation: channel 0: callback done
> debug2: channel 0: open confirm rwindow 0 rmax 32768
> debug3: receive packet: type 99
> debug2: channel_input_status_confirm: type 99 id 0
> debug2: PTY allocation request accepted on channel 0
> debug2: channel 0: rcvd adjust 2097152
> debug3: receive packet: type 99
> debug2: channel_input_status_confirm: type 99 id 0
> debug2: shell request accepted on channel 0
> Last login: Fri Mar 26 12:48:28 2021 from ubuntu-server.adyah.ciscoCopyright
> 2004-2020, Cisco and/or its affiliates. All rights reserved.
> Cisco is a registered trademark of Cisco Systems, Inc.
> All other trademarks are property of their respective owners.Cisco Fire Linux
> OS v6.6.1 (build 14)
> Cisco Firepower Management Center for VMWare v6.6.1 (build 91)> exit
> debug3: receive packet: type 98
> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
> debug3: receive packet: type 98
> debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
> debug2: channel 0: rcvd eow
> debug2: channel 0: chan_shutdown_read (i0 o0 sock -1 wfd 4 efd 6 [write])
> debug2: channel 0: input open -> closed
> debug3: receive packet: type 96
> debug2: channel 0: rcvd eof
> debug2: channel 0: output open -> drain
> debug2: channel 0: obuf empty
> debug2: channel 0: chan_shutdown_write (i3 o1 sock -1 wfd 5 efd 6 [write])
> debug2: channel 0: output drain -> closed
> debug3: receive packet: type 97
> debug2: channel 0: rcvd close
> debug3: channel 0: will not send data after close
> debug2: channel 0: almost dead
> debug2: channel 0: gc: notify user
> debug2: channel 0: gc: user detached
> debug2: channel 0: send close
> debug3: send packet: type 97
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: client-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
> #0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc
> -1)debug3: send packet: type 1
> debug3: fd 1 is not O_NONBLOCK
> Connection to 10.106.107.228 closed.
> Transferred: sent 3056, received 2824 bytes, in 3.3 seconds
> Bytes per second: sent 930.8, received 860.1
> debug1: Exit status 0
> adyanth@ubuntu-server:~/rd-gateway$
> {code}
> Please let me know what else would be needed to troubleshoot since I am at a
> loss seeing just one ERROR level message when something is failing.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
