Mailing List Archive

aes-gcm SSH ciphers broken in JunOS >=12.3R12-S13.1
Hello,

After upgrading a few old EX switches from 12.3R12-S12 to 12.3R12-S14 I found that I could no longer log in using SSH.

When the login attempt is made, the switch logs:

sshd[1521]: fatal: ssh_dispatch_run_fatal: Connection to <client ip address>: unexpected internal error [preauth]

The reason appears to be the cipher used.

The SSH server in JunOS 12.3R12-S12 advertises support for the following ciphers:

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

While 12.3R12-S14 advertises:

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

Note the addition of aes128-gcm@openssh.com and aes256-gcm@openssh.com. These are advertised by 12.3R12-S13.1 as well.

The Fedora OpenSSH client will use aes256-gcm@openssh.com by default when supported by the server, and this fails with the above error message. So does aes128-gcm@openssh.com.

Explicitly selecting another cipher works, e.g.:

ssh -o Ciphers=chacha20-poly1305@openssh.com <switch>

Didn't find any KB article about this issue, so I thought I'd post here in case any Juniper employee would like to report it internally, as I'm guessing others will run into the same issue eventually. (My old switches are long out of support, so I can't open a JTAC case.)

Tore
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [EXT] aes-gcm SSH ciphers broken in JunOS >=12.3R12-S13.1 [ In reply to ]
I ran into this as well and found the workaround, but hadn't yet gotten around to analyzing the exact situation as thoroughly as you have. I'll open a case and see what they say. Thanks.

On Wed, Jan 15, 2020 at 02:03:22PM +0100, Tore Anderson wrote:
> Note the addition of aes128-gcm@openssh.com and aes256-gcm@openssh.com. These are advertised by 12.3R12-S13.1 as well.
>
> The Fedora OpenSSH client will use aes256-gcm@openssh.com by default when supported by the server, and this fails with the above error message. So does aes128-gcm@openssh.com.
>
> Explicitly selecting another cipher works, e.g.:
>
> ssh -o Ciphers=chacha20-poly1305@openssh.com <switch>
>
> Didn't find any KB article about this issue, so I thought I'd post here in case any Juniper employee would like to report it internally, as I'm guessing others will run into the same issue eventually. (My old switches are long out of support, so I can't open a JTAC case.)
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp