EXOS refuses ssh access using libssh2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-26-2016 07:14 AM
We try to monitor Extreme switchs with a script using libssh2 but access always fails (the switch RST the tcp connection when the client requests userauth service)
The problem was traced back to the fact that libssh2 uses an ssh banner of this form "SSH-2.0-libssh2_1.7.0_DEV" while a regular OpenSSH client has a banner of this form "SSH-2.0-OpenSSH_5.3”.
When the libssh2 script is tailored to send "SSH-2.0-OpenSSH_5.3” banner (pretending to be a regular OpenSSH client) the access works just fine.
EXOS sshd servers seems to somehow have a bug when dealing with some banners (or has a hard coded whitelist/blacklist of banners)
The issue is reproducible at will (with any version of EXOS supporting ssh). Just git clone the libssh2 repo, build the lib and use the ssh2 binary provided in the "examples" directory (against an ssh enabled Extreme switch)
I did'nt have any luck getting debug/verbose logging from the sshd process on the switch, the only events related to that process are never triggered (exsshd.DebugData, exsshd.DebugVerbose, exsshd.RejctConnAccessDeny)
- Access using regular OpenSSH client works fine.
- Access using libssh2 script works fine with other switch vendors (Arista, Brocade tested) and regular linux OpenSSH servers.
The problem was traced back to the fact that libssh2 uses an ssh banner of this form "SSH-2.0-libssh2_1.7.0_DEV" while a regular OpenSSH client has a banner of this form "SSH-2.0-OpenSSH_5.3”.
When the libssh2 script is tailored to send "SSH-2.0-OpenSSH_5.3” banner (pretending to be a regular OpenSSH client) the access works just fine.
EXOS sshd servers seems to somehow have a bug when dealing with some banners (or has a hard coded whitelist/blacklist of banners)
The issue is reproducible at will (with any version of EXOS supporting ssh). Just git clone the libssh2 repo, build the lib and use the ssh2 binary provided in the "examples" directory (against an ssh enabled Extreme switch)
I did'nt have any luck getting debug/verbose logging from the sshd process on the switch, the only events related to that process are never triggered (exsshd.DebugData, exsshd.DebugVerbose, exsshd.RejctConnAccessDeny)
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-26-2016 10:17 AM
This issue would seem to be the libraries that we use in OpenSSH, they have, up until now been older libraries. Depending on the version of code you are running, all of the SSH libraries have been updated with the latest versions of code, i.e. 16.2 and 21.1. Update to these versions and try again. Here is the summary on 16.2:
SSH Packaging Changes – ExtremeXOS 16.2 is now FIPS 140-2 compliant with an upgrade to the SSH server & addition of Federal Information Processing Standards (FIPS) compliance Object Module v2.0. In addition, ExtremeXOS 16.2 images now have SSH functionality included in the base xos file (i.e. no SSH xmod is required).
SSH Packaging Changes – ExtremeXOS 16.2 is now FIPS 140-2 compliant with an upgrade to the SSH server & addition of Federal Information Processing Standards (FIPS) compliance Object Module v2.0. In addition, ExtremeXOS 16.2 images now have SSH functionality included in the base xos file (i.e. no SSH xmod is required).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-26-2016 10:17 AM
Bill, the 16.2 works like a charm with libssh2.
Thank you for the tip.
All I have to do is upgrade the ~50 stacks 🙂
Thank you for the tip.
All I have to do is upgrade the ~50 stacks 🙂
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-26-2016 10:17 AM
Thank you very much for your answer.
I'll definitely give it a shot right away. I admit that I only tested with the last 15.X track.
I'll let you know how it goes.
I'll definitely give it a shot right away. I admit that I only tested with the last 15.X track.
I'll let you know how it goes.
