Hello All, I have weird issues going on with my SRX300-[15.1X49-D170.4] .. I have a user login 'admin' that can log in fine through the PUBLIC interface, but not the internal interface.. This configuration came from a SRX240 for which I just replaced. I changed all the configuration that it didn't like such as vlan.X to irb.X and all the DHCP changes. Plug the device in and all the rules and tunnels came up find. The only thing that doesn't work is logging in via ssh to an internal interface in my trust zone. Not sure how the SSH login process differs based on the interface your logging into?
Everything I've seen has been related to root access. I have the same issue with that account as in the above example as well. I did noticed that updated passwords had a longer hash key, so I updated the password on the admin account to match. Still have same issue. I haven't rebooted the device with fear of it locking out all accounts on all interfaces. I have checked:
show system login lockoutUser accounts not locked
>>>>>> Logging to the device via internal IP address
Using username "admin".Using keyboard-interactive authentication.Password:Using keyboard-interactive authentication.pam_unix: pam_sm_authenticate: UNIX authentication refused
Access deniedUsing keyboard-interactive authentication.Password:
>>>>>> Logging to the device via external public IP.
Using username "admin".Using keyboard-interactive authentication.Password:Last login: Tue Mar 5 05:59:13 2019 from XX.XX.XX.XX--- JUNOS 15.1X49-D170.4 built 2019-02-22 22:34:42 UTCadmin@XXXXX.SRX300>
I can log into the web interface internally fine with the same admin account as well. Not sure what to look out to be honest.
Since you are able to login from one interface and not from another. I would start by logging at zone level settings for host-inbound services, to check if ssh is allowed.
> Compare the "show security zones security-zone <External> & show security zones security-zone <Internal>
> SSH needs to be explicitly allowed or you could also allow services all
> set security zone security-zone Internal host-inbound-traffic system-services all OR
> set security zone security-zone Internal host-inbound-traffic system-services ssh
> Here are some related threads:
> Related documentation: Section on "Specify allowed host-inbound traffic for a zone or interface"
I hope this helps.
Apologies, since you are able to get to the login prompt, it means the host-inbound services are setup correctly.
You can try logging out some active sessions and trying again.
> show system users
> request system logout user <username>
No one else logged in at the moment.. Not sure how something from an OS level would effect users logging into device. I can see if your going to shell via root or something. Something specific to the inbound interface accepting the connection and the OS PAM module is effecting this is my guess..? Maybe a bug?
set system services ssh
<<<<< EXTERNAL >>>>>>
set security zones security-zone PUBLIC screen untrust-screenset security zones security-zone PUBLIC host-inbound-traffic system-services sshset security zones security-zone PUBLIC host-inbound-traffic system-services pingset security zones security-zone PUBLIC interfaces ge-0/0/0.0
<<<<< INTERNAL >>>>>>
set security zones security-zone GREEN host-inbound-traffic system-services allset security zones security-zone GREEN interfaces irb.1001 host-inbound-traffic system-services allset security zones security-zone GREEN interfaces ge-0/0/3.0 host-inbound-traffic system-services allset security zones security-zone GREEN interfaces ge-0/0/3.0 host-inbound-traffic protocols all
OK OK OK ... I'm an idiot.. In my SSH management for this one particular connection, I had another device IP in the configuration, I've been working with that clients devices that its IP just stuck in my head. There is NO problem, I was connecting to the wrong device for which the admin account had a different password.
So, if there is a wall of shame for bonehead misstakes, please place me at the top !!!!
Sorry, I really feel bad.