Troubleshooting Secure Shell Connections

If you are having trouble making a Secure Shell connection the trouble may come because Reflection cannot locate your host, or because of a problem with either host authentication or user authentication.

Using log files

If your connection problem is with host authentication, you may find useful information in the Reflection client log file.

If your problem is with user authentication, you may need to contact the administrator of the Secure Shell server. User authentication problems are common, and complete information about failed user authentication is available only in the server debug log-not in the client log. By design, the Secure Shell protocol does not provide specific information to clients about failed authentication attempts. This is done so that an attacker cannot use error messages to determine why an authentication failed and thus narrow in on a successful attack.

Troubleshooting suggestions

Password authentication

  • Incorrect password. Check that Caps lock is not enabled.
  • Expired password. You may need to use Keyboard Interactive authentication instead of Password authentication to enable password updates.
  • If no password prompt is displayed, password authentication may be disabled.

Public Key authentication

  • User's public key has not been uploaded to the correct location on the host.
  • User's public key has been uploaded to the correct location but has incorrect ownership or file permissions.
  • Key is passphrase protected and you have entered an incorrect passphrase.
  • The wrong key is selected for authentication on the User Keys tab of the Secure Shell Settings dialog box.
  • Too many public keys are selected, especially if you are attempting connections to servers running older versions of OpenSSH.

Certificate authentication

  • The certificate used to authenticate the host is not available. Check the Reflection trusted root store and the Microsoft trusted root and intermediate stores. (If use of the Microsoft store has been disabled, certificates must be in the Reflection store.)
  • The certificate used to authenticate the user is not available. Check the Reflection personal store and the Microsoft personal store.
  • The certificate used to authenticate either the host or user has expired.
  • Certificate host name must match host being contacted is enabled and the host name you have specified for this connection doesn't exactly match host name in certificate.
  • Certificate revocation checking is enabled and the Certificate Revocation List is not available.
  • Certificate revocation checking is enabled and the host certificate has been revoked.

Key exchange

  • The following error occurs during key exchange: "fatal: dh_gen_key: group too small: 1024 (2*need 1024)". Modify the key exchange algorithms to put diffie-hellman-group14-sha1 ahead of the other algorithms.

Related Topics

Enabling and Disabling Use of the Windows Certificate Store