Mailing List Archive

*try below and do to upgrade again.*

*deactivate system services ssh ciphers *

*Regards,*
*Aamir*

On Thu, Nov 9, 2023 at 12:28?PM Andreas S. Kerber via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

> Anybody successfully updated MX204 from 21.4R3-S4 to 21.4R3-S5?
> Got a few MX204 and trying to "request vmhost software add" fails
> on each of them.
>
> Anybody got a hint for me?
>
> $ request vmhost software add
> /var/tmp/junos-vmhost-install-mx-x86-64-21.4R3-S5.4.tgz
> Junos Validation begin. Procedure will take few minutes.
> Checking if VirtFS can be used for image install ...
> Required: 7654536554 bytes Available: 21476761600 bytes
> Using VirtFS ...
> {...}
> Hardware Database regeneration succeeded
> Validating against /config/juniper.conf.gz
> mgd: commit complete
> Validation succeeded
> Validating against /config/rescue.conf.gz
> mgd: commit complete
> Validation succeeded
> Verified junos-vmhost-install-mx-x86-64-21.4R3-S5.4 signed by
> PackageDevelopmentECP256_2023 method ECDSA256+SHA256
> Copied the config and other data to the aux disk.
> Transfer junos-host-upgrade.sh
> lost connection
> Transfer Done
> Starting upgrade ...
> sh: /junos/install/junos-host-upgrade.sh: No such file or directory
> rm: cannot remove '/junos/install/junos-host-upgrade.sh': No such file or
> directory
> ... upgrade failed.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Am Thu, Nov 09, 2023 at 12:43:18PM +0300 schrieb Muhammad Aamir:
> *try below and do to upgrade again.*
> *deactivate system services ssh ciphers *

Thanks Aamir!

we had an ancient ssh key-exchange statement configured.
After removing that, the installation worked fine. Thanks again!

Andreas
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I believe if you cipher is set to one that Juniper no longer supports, i.e. that knob selection is depreciated, the upgrade will not complete. The change in cipher support is due to new vulnerability findings.

SSH Vulnerability, "Deprecated SSH Cryptographic Settings" with Vulnerability Result Type quoting the details of the category under which the alert is identified. For eg, if customer monitoring tool reports "Vulnerability Result Type Name key_exchange diffie-hellman-group14-sha1 host_key ssh-rsa MAC hmac-sha1-**** MAC hmac-sha1". This means the SRX is using deprecated SSH cryptographic settings to communicate.


changes needed under system service ssh to allow only strong ciphers, host key, MACs, algorithm



Settings currently considered deprecated (might change later):

+Ciphers using CFB of OFB -Very uncommon, and deprecated because of weaknesses compared to newer cipher chaining modes such as CTR or GCM

+RC4 cipher (arcfour, arcfour128, arcfour256) - The RC4 cipher has a cryptographic bias and is no longer considered secure

+Ciphers with a 64-bit block size (DES, 3DES, Blowfish, IDEA, CAST) - Ciphers with a 64-bit block size may be vulnerable to birthday attacks (Sweet32)

+Key exchange algorithms using DH group 1 (diffie-hellman-group1-sha1, gss-group1-sha1-*)- DH group 1 uses a 1024-bit key which is considered too short and vulnerable to Logjam-style attacks

+Key exchange algorithm rsa1024sha1 - Very uncommon, and deprecated because of the short RSA key size

+MAC algorithm umac-32 - Very uncommon, and deprecated because of the very short MAC length


Just FYI. Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342

I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it




Juniper Business Use Only

On 11/9/23, 4:43 AM, "Muhammad Aamir" <aamirwwol@gmail.com> wrote:
*try below and do to upgrade again.*

*deactivate system services ssh ciphers *

*Regards,*
*Aamir*

On Thu, Nov 9, 2023 at 12:28?PM Andreas S. Kerber via juniper-nsp <
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>> wrote:

> Anybody successfully updated MX204 from 21.4R3-S4 to 21.4R3-S5?
> Got a few MX204 and trying to "request vmhost software add" fails
> on each of them.
>
> Anybody got a hint for me?
>
> $ request vmhost software add
> /var/tmp/junos-vmhost-install-mx-x86-64-21.4R3-S5.4.tgz
> Junos Validation begin. Procedure will take few minutes.
> Checking if VirtFS can be used for image install ...
> Required: 7654536554 bytes Available: 21476761600 bytes
> Using VirtFS ...
> {...}
> Hardware Database regeneration succeeded
> Validating against /config/juniper.conf.gz
> mgd: commit complete
> Validation succeeded
> Validating against /config/rescue.conf.gz
> mgd: commit complete
> Validation succeeded
> Verified junos-vmhost-install-mx-x86-64-21.4R3-S5.4 signed by
> PackageDevelopmentECP256_2023 method ECDSA256+SHA256
> Copied the config and other data to the aux disk.
> Transfer junos-host-upgrade.sh
> lost connection
> Transfer Done
> Starting upgrade ...
> sh: /junos/install/junos-host-upgrade.sh: No such file or directory
> rm: cannot remove '/junos/install/junos-host-upgrade.sh': No such file or
> directory
> ... upgrade failed.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
> https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!G2OaM6xbjo9xBebvYLAFzmsY60TWa1c9CQF9RidbdDfPWspCmb6C2V4jaXCLuuv4CySTSQO7tyumJx2GGqGshQb07zvieFBP$<https://urldefense.com/v3/__https:/puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!G2OaM6xbjo9xBebvYLAFzmsY60TWa1c9CQF9RidbdDfPWspCmb6C2V4jaXCLuuv4CySTSQO7tyumJx2GGqGshQb07zvieFBP$>
>


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp