This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS refuses ssh access using libssh2

EXOS refuses ssh access using libssh2

M__YOUSSEF_GHOR
New Contributor

‎08-26-2016 07:14 AM

We try to monitor Extreme switchs with a script using libssh2 but access always fails (the switch RST the tcp connection when the client requests userauth service)

  • Access using regular OpenSSH client works fine.
  • Access using libssh2 script works fine with other switch vendors (Arista, Brocade tested) and regular linux OpenSSH servers.

The problem was traced back to the fact that libssh2 uses an ssh banner of this form "SSH-2.0-libssh2_1.7.0_DEV" while a regular OpenSSH client has a banner of this form "SSH-2.0-OpenSSH_5.3”.

When the libssh2 script is tailored to send "SSH-2.0-OpenSSH_5.3” banner (pretending to be a regular OpenSSH client) the access works just fine.

EXOS sshd servers seems to somehow have a bug when dealing with some banners (or has a hard coded whitelist/blacklist of banners)

The issue is reproducible at will (with any version of EXOS supporting ssh). Just git clone the libssh2 repo, build the lib and use the ssh2 binary provided in the "examples" directory (against an ssh enabled Extreme switch)

I did'nt have any luck getting debug/verbose logging from the sshd process on the switch, the only events related to that process are never triggered (exsshd.DebugData, exsshd.DebugVerbose, exsshd.RejctConnAccessDeny)

0 Kudos
3 REPLIES 3

Bill_Stritzinge
Extreme Employee

‎08-26-2016 10:17 AM

This issue would seem to be the libraries that we use in OpenSSH, they have, up until now been older libraries. Depending on the version of code you are running, all of the SSH libraries have been updated with the latest versions of code, i.e. 16.2 and 21.1. Update to these versions and try again. Here is the summary on 16.2:

SSH Packaging Changes – ExtremeXOS 16.2 is now FIPS 140-2 compliant with an upgrade to the SSH server & addition of Federal Information Processing Standards (FIPS) compliance Object Module v2.0. In addition, ExtremeXOS 16.2 images now have SSH functionality included in the base xos file (i.e. no SSH xmod is required).

0 Kudos

M__YOUSSEF_GHOR
New Contributor
In response to Bill_Stritzinge

‎08-26-2016 10:17 AM

Bill, the 16.2 works like a charm with libssh2.
Thank you for the tip.

All I have to do is upgrade the ~50 stacks 🙂
0 Kudos

M__YOUSSEF_GHOR
New Contributor
In response to Bill_Stritzinge

‎08-26-2016 10:17 AM

Thank you very much for your answer.
I'll definitely give it a shot right away. I admit that I only tested with the last 15.X track.
I'll let you know how it goes.
0 Kudos
GTM-P2G8KFN