Cannot SSH into SSG from Mac OS X 10.5.5


  • Engineer

    Ever since I upgraded to OS X 10.5.5 in cannot ssh to Juniper boxes. Anyone encountered such issue ? Below is my debug of the connection:

    OJs-Powerbook:~ olivierj$ ssh -vvv netscreen@10.0.0.24
    OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
    debug1: Reading configuration data /etc/ssh_config
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to 10.0.0.24 [10.0.0.24] port 22.
    debug1: Connection established.
    debug1: identity file /Users/olivierj/.ssh/identity type -1
    debug1: identity file /Users/olivierj/.ssh/id_rsa type -1
    debug3: Not a RSA1 key file /Users/olivierj/.ssh/id_dsa.
    debug2: key_type_from_name: unknown key type '–—BEGIN’
    debug3: key_read: missing keytype
    debug2: key_type_from_name: unknown key type 'Proc-Type:'
    debug3: key_read: missing keytype
    debug2: key_type_from_name: unknown key type 'DEK-Info:'
    debug3: key_read: missing keytype
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug2: key_type_from_name: unknown key type '-----END’
    debug3: key_read: missing keytype
    debug1: identity file /Users/olivierj/.ssh/id_dsa type 2
    debug1: Remote protocol version 2.0, remote software version NetScreen
    debug1: no match: NetScreen
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.1
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-dss
    debug2: kex_parse_kexinit: 3des-cbc
    debug2: kex_parse_kexinit: 3des-cbc
    debug2: kex_parse_kexinit: hmac-sha1
    debug2: kex_parse_kexinit: hmac-sha1
    debug2: kex_parse_kexinit: none
    debug2: kex_parse_kexinit: none
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: found hmac-sha1
    debug1: kex: server->client 3des-cbc hmac-sha1 none
    debug2: mac_setup: found hmac-sha1
    debug1: kex: client->server 3des-cbc hmac-sha1 none
    debug2: dh_gen_key: priv key bits set: 184/384
    debug2: bits set: 505/1024
    debug1: sending SSH2_MSG_KEXDH_INIT
    debug1: expecting SSH2_MSG_KEXDH_REPLY
    debug3: check_host_in_hostfile: filename /Users/olivierj/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 52
    debug1: Host ‘10.0.0.24’ is known and matches the DSA host key.
    debug1: Found key in /Users/olivierj/.ssh/known_hosts:52
    debug2: bits set: 504/1024
    debug1: ssh_dss_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /Users/olivierj/.ssh/id_dsa (0x103290)
    debug2: key: /Users/olivierj/.ssh/identity (0x0)
    debug2: key: /Users/olivierj/.ssh/id_rsa (0x0)
    debug1: Authentications that can continue: password
    debug3: start over, passed a different list password
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,keyboard-interactive,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    netscreen@10.0.0.24’s password:
    debug3: packet_send2: adding 56 (len 64 padlen 8 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: Authentication succeeded (password).
    debug1: channel 0: new [client-session]
    debug3: ssh_session2_open: channel_new: 0
    debug2: channel 0: send open
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug2: callback start
    debug2: client_session2_setup: id 0
    debug2: channel 0: request pty-req confirm 1
    debug3: tty_make_modes: ospeed 38400
    debug3: tty_make_modes: ispeed 38400
    debug2: channel 0: request shell confirm 1
    debug2: fd 3 setting TCP_NODELAY
    debug2: callback done
    debug2: channel 0: open confirm rwindow 2048 rmax 1024
    debug1: channel 0: free: client-session, nchannels 1
    debug3: channel 0: status: The following connections are open:
      #0 client-session (t4 r2 i0/0 o0/0 fd 4/5 cfd -1)

    debug3: channel 0: close_fds r 4 w 5 e 6 c -1
    Connection to 10.0.0.24 closed by remote host.
    Connection to 10.0.0.24 closed.
    Transferred: sent 1592, received 912 bytes, in 0.0 seconds
    Bytes per second: sent 660272.1, received 378246.3
    debug1: Exit status -1

    Here is the output of a “debug ssh all” from the SSG

    SSG550(M)-> get db stream

    2008-09-29 15:44:48 : SSH message: OUT - SSH_MSG_CHANNEL_DATA(94)

    2008-09-29 15:44:48 : SSH netio: send(s=25, l=52) = 52

    2008-09-29 15:44:48 : SSH netio: send(25,52,) = 52

    2008-09-29 15:45:04 : –- send_init_string()

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_FREE(0) -> SSH_STATE_INIT(1)

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=64) = 21

    2008-09-29 15:45:04 : SSH: >>> process_init_string()

    2008-09-29 15:45:04 : SSH: — process_init_string() init_string='SSH-2.0-OpenSSH_5.1

    ’ : bytes=21

    2008-09-29 15:45:04 : SSH: >>> ssh_remove_cr_nl(str=0x1b0bb95c)

    2008-09-29 15:45:04 : SSH: — ssh_remove_cr_nl() :  nl=0x1b0bb970 : cr=0x1b0bb96f : nl_len=20 : cr_len=19

    2008-09-29 15:45:04 : SSH: <<< ssh_remove_cr_nl(*bytes_removed=2) = 19

    2008-09-29 15:45:04 : SSH: <<< process_init_string() = 1

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_INIT(1) -> SSH_STATE_SEND_NEG(2)

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=64) = 64

    2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_KEXINIT(20)

    2008-09-29 15:45:04 : SSH netio: send(s=26, l=152) = 152

    2008-09-29 15:45:04 : SSH netio: send(26,152,) = 152

    2008-09-29 15:45:04 : SSH: >>> ssh_remove_cr_nl(str=0x1af18514)

    2008-09-29 15:45:04 : SSH: — ssh_remove_cr_nl() :  nl=0x1af18526 : cr=0x1af18525 : nl_len=18 : cr_len=17

    2008-09-29 15:45:04 : SSH: <<< ssh_remove_cr_nl(*bytes_removed=2) = 17

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_SEND_NEG(2) -> SSH_STATE_RECV_NEG(3)

    2008-09-29 15:45:04 : extending recv() buffer

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=200 : packet_len=788

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0

    2008-09-29 15:45:04 : extending recv() buffer

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=336 : packet_len=788

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0

    2008-09-29 15:45:04 : extending recv() buffer

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=472 : packet_len=788

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0

    2008-09-29 15:45:04 : extending recv() buffer

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=608 : packet_len=788

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0

    2008-09-29 15:45:04 : extending recv() buffer

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=744 : packet_len=788

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0

    2008-09-29 15:45:04 : extending recv() buffer

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 48

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=792 : packet_len=788

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : padding_len =8 : message_type=20

    2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_KEXINIT(20)

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 1

    2008-09-29 15:45:04 : — process_kex_neg()

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_RECV_NEG(3) -> SSH_STATE_RECV_DH_KEX(5)

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 144

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=144 : packet_len=140

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : padding_len =6 : message_type=30

    2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_KEXDH_INIT(30)

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 1

    2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_KEXDH_REPLY(31)

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_RECV_DH_KEX(5) -> SSH_STATE_SEND_DH_KEX(4)

    2008-09-29 15:45:04 : SSH netio: send(s=26, l=640) = 640

    2008-09-29 15:45:04 : SSH netio: send(26,640,) = 640

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_SEND_DH_KEX(4) -> SSH_STATE_SEND_NEW_KEYS(7)

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 16

    2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_NEWKEYS(21)

    2008-09-29 15:45:04 : SSH netio: send(s=26, l=16) = 16

    2008-09-29 15:45:04 : SSH netio: send(26,16,) = 16

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_SEND_NEW_KEYS(7) -> SSH_STATE_RECV_NEW_KEYS(6)

    2008-09-29 15:45:04 : SSH netio: Another message,In_enc_buffer# alloc 880, end 16,offset 0

    2008-09-29 15:45:04 : SSH: >>> process_binary_frame()

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : buf_len=16 : packet_len=12

    2008-09-29 15:45:04 : SSH: — process_binary_frame() : padding_len =10 : message_type=21

    2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_NEWKEYS(21)

    2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 1

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_RECV_NEW_KEYS(6) -> SSH_STATE_BANNER(8)

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 52

    2008-09-29 15:45:04 : SSH state trans: SSH_STATE_BANNER(8) -> SSH_STATE_CONNECTING(9)

    2008-09-29 15:45:04 : SSH netio: Another message,In_enc_buffer# alloc 880, end 52,offset 0

    2008-09-29 15:45:04 : decrypted message length 28

    2008-09-29 15:45:04 : SSH netio: packet decrypted…In_enc_buffer# alloc 880, end 52,offset 32

    2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_SERVICE_REQUEST(5)

    2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_SERVICE_ACCEPT(6)

    2008-09-29 15:45:04 : SSH netio: send(s=26, l=52) = 52

    2008-09-29 15:45:04 : SSH netio: send(26,52,) = 52

    2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 76

    2008-09-29 15:45:04 : decrypted message length 52

    2008-09-29 15:45:04 : SSH netio: packet decrypted…In_enc_buffer# alloc 880, end 76,offset 56

    2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_USERAUTH_REQUEST(50)

    2008-09-29 15:45:04 : SSH auth: >>> process_auth_request(ip=192.229.171.1, port=61121)

    2008-09-29 15:45:04 : SSH auth: — process_auth_request() : admin=netscreen service=ssh-connection method=none

    2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_USERAUTH_FAILURE(51)

    2008-09-29 15:45:04 : SSH auth: — ssh_build_auth_fail() : auth_types=password

    2008-09-29 15:45:04 : SSH netio: send(s=26, l=44) = 44

    2008-09-29 15:45:04 : SSH netio: send(26,44,) = 44

    2008-09-29 15:45:04 : SSH auth: <<< process_auth_request(aaid=0) = 0

    2008-09-29 15:45:09 : SSH netio: recv(s=26, l=880) = 148

    2008-09-29 15:45:09 : decrypted message length 124

    2008-09-29 15:45:09 : SSH netio: packet decrypted…In_enc_buffer# alloc 880, end 148,offset 128

    2008-09-29 15:45:09 : SSH message: IN - SSH_MSG_USERAUTH_REQUEST(50)

    2008-09-29 15:45:09 : SSH auth: >>> process_auth_request(ip=192.229.171.1, port=61121)

    2008-09-29 15:45:09 : SSH auth: — process_auth_request() : admin=netscreen service=ssh-connection method=password

    2008-09-29 15:45:09 : SSH auth: — password auth: password = 1a839c44 : length=10 : failure=0

    2008-09-29 15:45:09 : SSH auth: >>> sshv2_auth(name=netscreen)

    2008-09-29 15:45:09 : SSH auth: <<< sshv2_auth(aaid=9) = 1

    2008-09-29 15:45:09 : SSH message: OUT - SSH_MSG_USERAUTH_SUCCESS(52)

    2008-09-29 15:45:09 : SSH netio: send(s=26, l=36) = 36

    2008-09-29 15:45:09 : SSH netio: send(26,36,) = 36

    2008-09-29 15:45:09 : SSH auth: <<< process_auth_request(aaid=9) = 1

    2008-09-29 15:45:09 : SSH netio: recv(s=26, l=880) = 128

    2008-09-29 15:45:09 : decrypted message length 36

    2008-09-29 15:45:09 : SSH netio: packet decrypted…In_enc_buffer# alloc 880, end 128,offset 40

    2008-09-29 15:45:09 : SSH message: IN - SSH_MSG_CHANNEL_OPEN(90)

    2008-09-29 15:45:09 : — process_channel_open()

    2008-09-29 15:45:09 : SSH message: OUT - SSH_MSG_CHANNEL_OPEN_CONFIRMATION(91)

    2008-09-29 15:45:09 : SSH netio: send(s=26, l=52) = 52

    2008-09-29 15:45:09 : SSH netio: send(26,52,) = 52

    2008-09-29 15:45:09 : SSH netio: Another message,In_enc_buffer# alloc 880, end 128,offset 60

    2008-09-29 15:45:09 : decrypted message length 44

    2008-09-29 15:45:09 : SSH netio: packet decrypted…In_enc_buffer# alloc 880, end 128,offset 108

    2008-09-29 15:45:09 : SSH message: IN - unknown message type(80)

    2008-09-29 15:45:09 : SSH state trans: SSH_STATE_CONNECTING(9) -> SSH_STATE_CLOSE(99)

    2008-09-29 15:45:09 : SSH netio: recv(s=26, l=880) = 376

    2008-09-29 15:45:09 : SSH conn: >>> ssh_free_shell()

    2008-09-29 15:45:09 : SSH conn: <<< ssh_free_shell()

    2008-09-29 15:45:09 : SSH state trans: SSH_STATE_FREE(0) -> SSH_STATE_FREE(0)

    2008-09-29 15:45:13 : SSH netio: recv(s=25, l=744) = 44

    2008-09-29 15:45:13 : decrypted message length 20

    2008-09-29 15:45:13 : SSH netio: packet decrypted…In_enc_buffer# alloc 744, end 44,offset 24

    2008-09-29 15:45:13 : SSH message: IN - SSH_MSG_CHANNEL_DATA(94)

    2008-09-29 15:45:13 : SSH conn: >>> transfer_channel_data_to_application()

    2008-09-29 15:45:13 : SSH conn: <<< transfer_channel_data_to_application()

    SSG550(M)->



  • Have you tried something like this?:

    ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss

    I find that from modern Linux systems that I need to explicitly enable support for older SSH options in order to get into my SSG5 and SSG320 systems.



  • Sorry for reopening, but even with this workaround, I’m not able to connect to my ssg5 boxes:

    Unable to negotiate with x.x.x.x : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


    debug1: Local version string SSH-2.0-OpenSSH_7.3
    debug1: Remote protocol version 2.0, remote software version NetScreen
    debug1: no match: NetScreen
    debug1: Authenticating to x.x.x.x:22 as 'user’
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: (no match)
    Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1



  • cool. Thanks for that tip. I had a ticket open with Juniper Support and they couldn’t solve this.


  • Engineer

    Thanks. I just saw it on the forums also.



  • We just had this discussion on forums.juniper.net. Another person recommended this setting:

    ssh -oControlMaster=auto

    put that in your ssh command and it should work. If you put a -q it will suppress any other error messages. You can also edit your /etc/ssh_config file and put in

    ControlMaster    auto

    if you want it to be global.

    Ron


 

32
Online

38.4k
Users

12.7k
Topics

44.5k
Posts