8bit.minimal.net

jba/biz/jeffrey.arnold - internet enthusiast, at your service.
My website: http://analogue.net
My work: http://www.photoshelter.com
Mar 24
Permalink

Netscreen ssh problems?

LOL Internet

You: confused network engineer.

It: netscreen box that’s probably out of support (thanks juniper for being facists about software downloads!).

On your screen:

[omghi2u@toro][08:50:29][~]> ssh omghi2u@10.40.2.30
omghi2u@10.40.2.30’s password:
Connection to 10.40.2.30 closed by remote host.
Connection to 10.40.2.30 closed.

In your logs:

Mar 20 20:50:29 10.40.2.30 ns204.int.nyc.analogue.net: NetScreen device_id=ns204.int.nyc.analogue.net  [Root]system-warning-00528: SSH: Admin ‘omghi2u’ at host 10.40.2.98 attempted to be authenticated with no authentication methods enabled. (2009-03-20 20:50:30)
Mar 20 20:50:30 10.40.2.30 ns204.int.nyc.analogue.net: NetScreen device_id=ns204.int.nyc.analogue.net  [Root]system-warning-00528: SSH: Password authentication successful for admin user ‘omghi2u’ at host 10.40.2.98 (2009-03-20 20:50:30)

In your debug:

## 20:50:29 : SSH auth: »> sshv2_auth(name=omghi2u)
## 20:50:29 : SSH auth: «< sshv2_auth(aaid=67) = 1
## 20:50:29 : SSH message: OUT - SSH_MSG_USERAUTH_SUCCESS(52)
## 20:50:29 : SSH netio: send(s=566, l=36) = 36
## 20:50:29 : SSH netio: send(566„36,) = 36
## 20:50:29 : SSH auth: «< process_auth_request(aaid=67) = 1
## 20:50:29 : SSH netio: recv(s=566, l=576) = 128
## 20:50:29 : SSH message: IN - SSH_MSG_CHANNEL_OPEN(90)
## 20:50:29 : —- process_channel_open()
## 20:50:29 : SSH message: OUT - SSH_MSG_CHANNEL_OPEN_CONFIRMATION(91)
## 20:50:29 : SSH netio: send(s=566, l=52) = 52
## 20:50:29 : SSH netio: send(566„52,) = 52
## 20:50:29 : SSH netio: recv(s=566, l=448) = 444
## 20:50:29 : SSH message: IN - unknown message type(80)
## 20:50:29 : SSH state trans: SSH_STATE_CONNECTING(8) -> SSH_STATE_CLOSE(99)
## 20:50:29 : SSH conn: »> ssh_free_shell()
## 20:50:29 : SSH conn: «< ssh_free_shell()
## 20:50:29 : SSH state trans: SSH_STATE_FREE(0) -> SSH_STATE_FREE(0)

The really important line there is in bold. Message type 80 is used by the ssh controlmaster (another topic for discussion). Older versions of ssh will normally just ignore it, but apparently ScreenOS decides to bail. Don’t fret, there’s a fix!

[omghi2u@toro][08:50:29][~]> ssh -oControlMaster=auto omghi2u@10.40.2.30
omghi2u@10.40.2.30’s password:
PTY allocation request failed on channel 0
Remote Management Console
ns204.int.nyc.analogue.net->

Sweet!

Stick “ControlMaster auto” in your /etc/ssh/ssh_config file or your ~/.ssh/config to enable it for all hosts. It shouldn’t hurt for all hosts unless you’re doing something fancy w/ controlmaster.

Thanks to the juniper forums for part of this fix and bufu for motivating me to fix it :-) :

http://www.juniperforum.com/index.php?action=printpage%3Btopic=7235.0

Comments (View)
blog comments powered by Disqus