Hello,
After upgrading a few old EX switches from 12.3R12-S12 to 12.3R12-S14 I found that I could no longer log in using SSH.
When the login attempt is made, the switch logs:
sshd[1521]: fatal: ssh_dispatch_run_fatal: Connection to <client ip address>: unexpected internal error [preauth]
The reason appears to be the cipher used.
The SSH server in JunOS 12.3R12-S12 advertises support for the following ciphers:
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
While 12.3R12-S14 advertises:
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Note the addition of aes128-gcm@openssh.com and aes256-gcm@openssh.com. These are advertised by 12.3R12-S13.1 as well.
The Fedora OpenSSH client will use aes256-gcm@openssh.com by default when supported by the server, and this fails with the above error message. So does aes128-gcm@openssh.com.
Explicitly selecting another cipher works, e.g.:
ssh -o Ciphers=chacha20-poly1305@openssh.com <switch>
Didn't find any KB article about this issue, so I thought I'd post here in case any Juniper employee would like to report it internally, as I'm guessing others will run into the same issue eventually. (My old switches are long out of support, so I can't open a JTAC case.)
Tore
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
After upgrading a few old EX switches from 12.3R12-S12 to 12.3R12-S14 I found that I could no longer log in using SSH.
When the login attempt is made, the switch logs:
sshd[1521]: fatal: ssh_dispatch_run_fatal: Connection to <client ip address>: unexpected internal error [preauth]
The reason appears to be the cipher used.
The SSH server in JunOS 12.3R12-S12 advertises support for the following ciphers:
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
While 12.3R12-S14 advertises:
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
Note the addition of aes128-gcm@openssh.com and aes256-gcm@openssh.com. These are advertised by 12.3R12-S13.1 as well.
The Fedora OpenSSH client will use aes256-gcm@openssh.com by default when supported by the server, and this fails with the above error message. So does aes128-gcm@openssh.com.
Explicitly selecting another cipher works, e.g.:
ssh -o Ciphers=chacha20-poly1305@openssh.com <switch>
Didn't find any KB article about this issue, so I thought I'd post here in case any Juniper employee would like to report it internally, as I'm guessing others will run into the same issue eventually. (My old switches are long out of support, so I can't open a JTAC case.)
Tore
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp