OpenSSH Error "Disconnecting: Hash's MIC didn't verify" after upgrading to Ubuntu 16.04

Bug #1558576 reported by Brian Knoll on 2016-03-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
openssh (Ubuntu)

Bug Description

SSH was working fine for years, until I upgraded to Ubuntu 16.04. When I upgraded to Ubuntu 16.04, the openssh-server stopped accepting connections from Ubuntu 14.04 LTS clients, with the following error:

Disconnecting: Hash's MIC didn't verify

The error above shows up on the client side. In the server logs, I see the following:

Mar 17 10:01:49 falcon polkitd(authority=local): Unregistered Authentication Agent for unix-process:125110:294284 (system bus name :1.133, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Mar 17 10:02:06 falcon sshd[125126]: error: Received disconnect from MY.IP.ADDRESS.HERE port PORTNUMBER:2: Hash's MIC didn't verify [preauth]
Mar 17 10:02:06 falcon sshd[125126]: Disconnected from MY.IP.ADDRESS.HERE port PORTNUMBER [preauth]

I am using GSSAPI Key Exchange, and GSSAPI authentication. So I am not using public keys or passwords or anything like that; everything is entirely Kerberos 5. The problem, also, is only one-way. In other words, if I upgrade the server to Ubuntu 16.04, it stops accepting connections from 14.04 clients, but if I go the other direction and upgrade the client to Ubuntu 16.04, then it can still authenticate successfully to an Ubuntu 14.04 machine.

I am more than happy to help debug this, so please let me know what you suggest and I'll do whatever I can to help.


ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openssh-server 1:7.2p2-1
ProcVersionSignature: Ubuntu 4.4.0-13.29-generic 4.4.5
Uname: Linux 4.4.0-13-generic x86_64
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
Date: Thu Mar 17 10:02:45 2016
InstallationDate: Installed on 2015-05-04 (317 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
 PATH=(custom, no user)
SourcePackage: openssh
UpgradeStatus: Upgraded to xenial on 2016-03-16 (0 days ago)

Brian Knoll (brianknoll) wrote :
Changed in openssh (Debian):
status: Unknown → New
Changed in openssh (Debian):
status: New → Fix Released
Brian Knoll (brianknoll) wrote :

Based on the upstream bug closure, it sounds like importing the fixed version from upstream (or at least the fix patch) is probably the solution here.

Colin Watson (cjwatson) wrote :

I intend to as soon as that's possible, yes (slowed down by the Debian archive publisher being broken at the moment).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:7.2p2-2

openssh (1:7.2p2-2) unstable; urgency=medium

  * Fix kexgss_server to cope with DH_GRP_MIN/DH_GRP_MAX being stricter on
    the server end than the client (thanks, Damien Miller; closes: #817870,
    LP: #1558576).

 -- Colin Watson <email address hidden> Mon, 21 Mar 2016 12:08:55 +0000

Changed in openssh (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.