EXOS refuses ssh access using libssh2

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
We try to monitor Extreme switchs with a script using libssh2 but access always fails (the switch RST the tcp connection when the client requests userauth service)

  • Access using regular OpenSSH client works fine.
  • Access using libssh2 script works fine with other switch vendors (Arista,  Brocade tested) and regular linux OpenSSH servers.

The problem was traced back to the fact that libssh2 uses an ssh banner of this form "SSH-2.0-libssh2_1.7.0_DEV" while a regular OpenSSH client has a banner of this form "SSH-2.0-OpenSSH_5.3”.

When the libssh2 script is tailored to send "SSH-2.0-OpenSSH_5.3” banner (pretending to be a regular OpenSSH client) the access works just fine.

EXOS sshd servers seems to somehow have a bug when dealing with some banners (or has a hard coded whitelist/blacklist of banners)

The issue is reproducible at will (with any version of EXOS supporting ssh). Just git clone the libssh2 repo, build the lib and use the ssh2 binary provided in the "examples" directory (against an ssh enabled Extreme switch)

I did'nt have any luck getting debug/verbose logging from the sshd process on the switch, the only events related to that process are never triggered (exsshd.DebugData, exsshd.DebugVerbose, exsshd.RejctConnAccessDeny)
Photo of M. YOUSSEF GHORBAL

M. YOUSSEF GHORBAL

  • 132 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,016 Points 5k badge 2x thumb
This issue would seem to be the libraries that we use in OpenSSH, they have, up until now been older libraries.  Depending on the version of code you are running, all of the SSH libraries have been updated with the latest versions of code, i.e. 16.2  and 21.1.  Update to these versions and try again.  Here is the summary on 16.2:

SSH Packaging Changes – ExtremeXOS 16.2 is now FIPS 140-2 compliant with an upgrade to the SSH server & addition of Federal Information Processing Standards (FIPS) compliance Object Module v2.0. In addition, ExtremeXOS 16.2 images now have SSH functionality included in the base xos file (i.e. no SSH xmod is required).

Photo of M. YOUSSEF GHORBAL

M. YOUSSEF GHORBAL

  • 132 Points 100 badge 2x thumb
Thank you very much for your answer.
I'll definitely give it a shot right away. I admit that I only tested with the last 15.X track.
I'll let you know how it goes.
Photo of M. YOUSSEF GHORBAL

M. YOUSSEF GHORBAL

  • 132 Points 100 badge 2x thumb
Bill, the 16.2 works like a charm with libssh2.
Thank you for the tip.

All I have to do is upgrade the ~50 stacks :)