Signature verification failed

[johndc7]

I am unable to connect to a server because of an error "signature verification failed". Maybe there should be an option to disable the signature verification or override it? When commenting out the verification check in \lib\ssh.js everything works fine.

if (hostPubKey.verify(outstate.exchangeHash, rawsig) !== true) {
    debug('DEBUG: Signature verification failed');
    self.disconnect(DISCONNECT_REASON.KEY_EXCHANGE_FAILED);
    self.reset();
    var err = new Error('Handshake failed: signature verification failed');
    err.level = 'handshake';
    self.emit('error', err);
    return false;
  }

I have looked through the documentation and have not found an option to disable this check anywhere. It does also not seem that this is something that I can fix (the proper way) since I do not have control of the server.

[mscdex]

Be aware that by disabling this check you are making yourself vulnerable to MITM attacks.

[johndc7]

I am aware of this. Unfortunately, it seems my options are disable the check or it doesn't work at all.

Maybe it would be helpful to have an option to disable this and include a warning in the logs?

[mscdex]

I'd much rather try to solve the problem if possible rather than encourage bypassing a security check.

[johndc7]

Sure. That's the best solution.

I can send you testing credentials for the server I'm having issues with if you like.

[mscdex]

Can you test with the master branch of ssh2 to see if the issue is still present there?

[johndc7]

I tested with the master branch of ssh2 and I have the same problem. I did notice some errors when running npm install but I figured I would test anyways since it said it was an optional dependency.

C:\Users\John\Desktop\ssh2-test\ssh2>npm install

> cpu-features@0.0.2 install C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features
> node-gyp rebuild

C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" rebuild )  else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
  Configuring dependencies
  -- Building for: Visual Studio 14 2015
  -- Selecting Windows SDK version  to target Windows 10.0.18363.
  -- The C compiler identification is MSVC 19.0.24210.0
  -- Detecting C compiler ABI info
  -- Detecting C compiler ABI info - done
  -- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/x86_amd64/cl.exe - skippe
  d
  -- Detecting C compile features
  -- Detecting C compile features - done
  -- Configuring done
  -- Generating done
  -- Build files have been written to: C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features
  /build
  Building dependencies
  Microsoft (R) Build Engine version 14.0.25420.1
  Copyright (C) Microsoft Corporation. All rights reserved.

    Checking Build System
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
    filesystem.c
    stack_line_reader.c
    string_view.c
    Generating Code...
    utils.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build\utils.dir\R
  elease\utils.lib
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
    cpuinfo_x86.c
    cpu_features.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build\Rele
  ase\cpu_features.lib
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
    list_cpu_features.c
c:\users\john\desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\src\utils\list_cpu_features.c(343): wa
rning C4715: 'GetCacheTypeString': not all control paths return a value [C:\Users\John\Desktop\ssh2-test\ssh2\node_modu
les\cpu-features\deps\cpu_features\build\list_cpu_features.vcxproj] [C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\
cpu-features\build\build_deps.vcxproj]
    list_cpu_features.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\deps\cpu_features\build
  \Release\list_cpu_features.exe
    Building Custom Rule C:/Users/John/Desktop/ssh2-test/ssh2/node_modules/cpu-features/deps/cpu_features/CMakeLists.tx
  t
  binding.cc
  win_delay_load_hook.cc
     Creating library C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.lib and
  object C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.exp
LINK : warning LNK4098: defaultlib 'MSVCRT' conflicts with use of other libs; use /NODEFAULTLIB:library [C:\Users\John\
Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\cpufeatures.vcxproj]
  cpufeatures.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\\cpufeatures.node
  cpufeatures.vcxproj -> C:\Users\John\Desktop\ssh2-test\ssh2\node_modules\cpu-features\build\Release\cpufeatures.pdb (
  Full PDB)

> ssh2@1.0.0-beta.0 install C:\Users\John\Desktop\ssh2-test\ssh2
> node install.js

C:\Users\John\Desktop\ssh2-test\ssh2\lib\protocol\crypto>if not defined npm_config_node_gyp (node "C:\Program Files\nodejs\node_modules\npm\node_modules\npm-lifecycle\node-gyp-bin\\..\..\node_modules\node-gyp\bin\node-gyp.js" --target=v14.15.4 rebuild )  else (node "C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\bin\node-gyp.js" --target=v14.15.4 rebuild )
Building the projects in this solution one at a time. To enable parallel build, please add the "/m" switch.
  binding.cc
  win_delay_load_hook.cc
..\src\binding.cc(1718): error C2131: expression did not evaluate to a constant [C:\Users\John\Desktop\ssh2-test\ssh2\l
ib\protocol\crypto\build\sshcrypto.vcxproj]
  ..\src\binding.cc(1718): note: failure was caused by non-constant arguments or reference to a non-constant symbol
  ..\src\binding.cc(1718): note: see usage of 'this'
gyp ERR! build error
gyp ERR! stack Error: `C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onExit (C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\build.js:194:23)
gyp ERR! stack     at ChildProcess.emit (events.js:315:20)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:277:12)
gyp ERR! System Windows_NT 10.0.18363
gyp ERR! command "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\node_modules\\node-gyp\\bin\\node-gyp.js" "--target=v14.15.4" "rebuild"
gyp ERR! cwd C:\Users\John\Desktop\ssh2-test\ssh2\lib\protocol\crypto
gyp ERR! node -v v14.15.4
gyp ERR! node-gyp -v v5.1.0
gyp ERR! not ok
Failed to build optional crypto binding
npm WARN ssh2@1.0.0-beta.0 No license field.

added 1 package from 1 contributor and audited 7 packages in 22.723s
found 0 vulnerabilities

[mscdex]

Can you set debug: console.log in the connection config object with the master branch of ssh2 and post the resulting output?

[johndc7]

Sure.

09:32:53.345 > Custom crypto binding not available
09:32:53.576 > Client: Trying ecportal.dhl-usa.com on port 22 ...
09:32:55.133 > Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
09:32:55.832 > Socket connected
09:32:56.063 > Remote ident: 'SSH-2.0-IBM Sterling Connect:Enterprise for UNIX2.5.0'
09:32:56.219 > Outbound: Sending KEXINIT
09:32:56.332 > Inbound: Handshake in progress
09:32:56.439 > Handshake: (local) KEX method: diffie-hellman-group1-sha1
09:32:56.538 > Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
09:32:56.652 > Handshake: KEX algorithm: diffie-hellman-group1-sha1
09:32:56.753 > Handshake: (local) Host key format: ssh-dss
09:32:56.855 > Handshake: (remote) Host key format: ssh-dss
09:32:56.958 > Handshake: Host key format: ssh-dss
09:32:57.042 > Handshake: (local) C->S cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
09:32:57.136 > Handshake: (remote) C->S cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
09:32:57.248 > Handshake: C->S Cipher: 3des-cbc
09:32:57.455 > Handshake: (local) S->C cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
09:32:57.659 > Handshake: (remote) S->C cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
09:32:57.835 > Handshake: S->C cipher: 3des-cbc
09:32:58.037 > Handshake: (local) C->S MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.216 > Handshake: (remote) C->S MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.418 > Handshake: C->S MAC: hmac-sha1
09:32:58.590 > Handshake: (local) S->C MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:58.824 > Handshake: (remote) S->C MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
09:32:59.031 > Handshake: S->C MAC: hmac-sha1
09:32:59.213 > Handshake: (local) C->S compression: none,zlib@openssh.com,zlib
09:32:59.424 > Handshake: (remote) C->S compression: none,zlib
09:32:59.624 > Handshake: C->S compression: none
09:32:59.774 > Handshake: (local) S->C compression: none,zlib@openssh.com,zlib
09:32:59.991 > Handshake: (remote) S->C compression: none,zlib
09:33:00.204 > Handshake: S->C compression: none
09:33:00.407 > Outbound: Sending KEXDH_INIT
09:33:01.267 > Host accepted by default (no verification)
09:33:01.406 > Host accepted (verified)
09:33:01.552 > Inbound: NEWKEYS
09:33:01.753 > Verifying signature ...
09:33:01.965 > Signature verification failed: Error: error:06000080:public key routines:OPENSSL_internal:UNSUPPORTED_ALGORITHM
    at verifyOneShot (internal/crypto/sig.js:219:10)
    at OpenSSH_Public.verify (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\keyParser.js:405:18)
    at DHExchange.finish (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:669:40)
    at DHExchange.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1220:25)
    at Protocol.onKEXPayload (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1764:20)
    at NullDecipher.decrypt (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\crypto.js:617:26)
    at Protocol.parsePacket [as _parse] (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:1938:25)
    at Protocol.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:287:16)
    at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:645:15)
    at Socket.emit (events.js:315:20)
09:33:02.145 > Outbound: Sending DISCONNECT (3)
09:33:04.825 > Socket ended
09:33:05.059 > Socket closed

[mscdex]

What does console.log(process.versions) show?

[johndc7]

{
  node: '12.18.3',
  v8: '8.7.220.31-electron.0',
  uv: '1.38.0',
  zlib: '1.2.11',
  brotli: '1.0.7',
  ares: '1.16.0',
  modules: '85',
  nghttp2: '1.41.0',
  napi: '6',
  llhttp: '2.0.4',
  http_parser: '2.9.3',
  openssl: '1.1.1',
  icu: '67.1',
  unicode: '13.0',
  electron: '11.2.3',
  chrome: '87.0.4280.141'
}

[mscdex]

Can you try with plain node v12.18.3? I believe Electron uses their own SSL library (BoringSSL I believe) which causes issues sometimes. It could be that host's public key size is too small and is thus not supported by the SSL library for security reasons.

[mscdex]

Additionally, it could be that BoringSSL flat out doesn't support DSA host keys any longer.

[johndc7]

It interesting that using electron changes the node version. I knew I was using something newer than v12.18.3...

{
  node: '14.15.4',
  v8: '8.4.371.19-node.17',
  uv: '1.40.0',
  zlib: '1.2.11',
  brotli: '1.0.9',
  ares: '1.16.1',
  modules: '83',
  nghttp2: '1.41.0',
  napi: '7',
  llhttp: '2.1.3',
  openssl: '1.1.1i',
  cldr: '37.0',
  icu: '67.1',
  tz: '2020a',
  unicode: '13.0'
}

Here are the logs:

Custom crypto binding not available
Client: Trying ecportal.dhl-usa.com on port 22 ...
Local ident: 'SSH-2.0-ssh2js1.0.0-beta.0'
Socket connected
Remote ident: 'SSH-2.0-IBM Sterling Connect:Enterprise for UNIX2.5.0'
Outbound: Sending KEXINIT
Inbound: Handshake in progress
Handshake: (local) KEX method: diffie-hellman-group1-sha1
Handshake: (remote) KEX method: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Handshake: KEX algorithm: diffie-hellman-group1-sha1
Handshake: (local) Host key format: ssh-dss
Handshake: (remote) Host key format: ssh-dss
Handshake: Host key format: ssh-dss
Handshake: (local) C->S cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
Handshake: (remote) C->S cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Handshake: C->S Cipher: 3des-cbc
Handshake: (local) S->C cipher: 3des-cbc,aes256-cbc,aes192-cbc,aes128-cbc,arcfour,blowfish-cbc,cast128-cbc
Handshake: (remote) S->C cipher: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Handshake: S->C cipher: 3des-cbc
Handshake: (local) C->S MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: (remote) C->S MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: C->S MAC: hmac-sha1
Handshake: (local) S->C MAC: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha2-256-96,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: (remote) S->C MAC: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Handshake: S->C MAC: hmac-sha1
Handshake: (local) C->S compression: none,zlib@openssh.com,zlib
Handshake: (remote) C->S compression: none,zlib
Handshake: C->S compression: none
Handshake: (local) S->C compression: none,zlib@openssh.com,zlib
Handshake: (remote) S->C compression: none,zlib
Handshake: S->C compression: none
Outbound: Sending KEXDH_INIT
Host accepted by default (no verification)
Host accepted (verified)
Inbound: NEWKEYS
Verifying signature ...
Signature verification failed
Outbound: Sending DISCONNECT (3)
events.js:292
      throw er; // Unhandled 'error' event
      ^

Error: Handshake failed: signature verification failed
    at makeError (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\utils.js:142:15)
    at doFatalError (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\utils.js:184:13)
    at DHExchange.finish (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:680:18)
    at DHExchange.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1220:25)
    at Protocol.onKEXPayload (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\kex.js:1764:20)
    at NullDecipher.decrypt (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\crypto.js:617:26)
    at Protocol.parsePacket [as _parse] (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:1938:25)
    at Protocol.parse (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\protocol\Protocol.js:287:16)
    at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:645:15)
    at Socket.emit (events.js:315:20)
Emitted 'error' event on Client instance at:
    at Socket.<anonymous> (C:\Users\John\Desktop\shipment-import\node_modules\ssh2\lib\client.js:647:14)
    at Socket.emit (events.js:315:20)
    at addChunk (internal/streams/readable.js:309:12)
    at readableAddChunk (internal/streams/readable.js:284:9)
    at Socket.Readable.push (internal/streams/readable.js:223:10)
    at TCP.onStreamRead (internal/stream_base_commons.js:188:23) {
  level: 'handshake',
  fatal: true
}

[johndc7]

Any thoughts on this?

[mscdex]

I haven't found the cause yet. The signature seems to be valid and accepted by OpenSSL, it's just that the signature fails to be verified for some reason.

[mscdex]

Can you verify that everything works with ssh2 v0.8.x instead of the master branch? I suspect there is some regression after the rewrite.

[mscdex]

I've found the bug in ssh2 master, working on a fix....

[mscdex]

Ok, the fix should be in ssh2's master branch now. Let me know if it works for you.

[johndc7]

It seems like it works now. Thanks for your help.

[johndc7]

I might have spoke too soon. It doesn't work in electron but I don't think this is an ssh2 problem. As you said:

Additionally, it could be that BoringSSL flat out doesn't support DSA host keys any longer.

This is the error I get: Signature verification failed: Error: error:06000080:public key routines:OPENSSL_internal:UNSUPPORTED_ALGORITHM

Any ideas?

[mscdex]

I can't really help there, as it's beyond the scope of this project. Curiously though, as far as I can tell BoringSSL does still contain support for both DSA and SHA1, so I'm not quite sure why Electron doesn't support it unless they are explicitly disabling specific legacy algorithms in one way or another.