Management

 View Only
last person joined: 2 days ago 

Ask questions and share experiences with Junos Space and network management.
  • 1.  SSH to JunOS in FIPS mode

    Posted 01-16-2022 15:08
    Hi,

    My MX is in FIPS mode.

    I try to SSH from an Device behind.
    But no SSH is possible.

    15:58:41 system,info log rule added by admin
    15:58:43 ssh,debug transport state: 0 --> 1
    15:58:43 ssh,debug transport state: 1 --> 2
    15:58:43 ssh,debug,packet sending string
    15:58:43 ssh,debug,packet SSH-2.0-ROSSSH\r
    15:58:43 ssh,debug,packet
    15:58:43 ssh,debug client version: SSH-2.0-OpenSSH_7.5
    15:58:43 ssh,debug transport state: 2 --> 3
    15:58:43 ssh,debug,packet packet create: 20
    15:58:43 ssh,debug,packet ----- sending -----
    15:58:43 ssh,debug,packet => offset:232 [0xe8]
    15:58:43 ssh,debug,packet => size:e8 [0xe8]
    15:58:43 ssh,debug,packet 0000 00e4 0b14 9928 1cb2 731e 61f0 e7fe
    15:58:43 ssh,debug,packet 11c9 cfc1 dfd0 0000 0024 6469 6666 6965
    15:58:43 ssh,debug,packet 2d68 656c 6c6d 616e 2d67 726f 7570 2d65
    15:58:43 ssh,debug,packet 7863 6861 6e67 652d 7368 6132 3536 0000
    15:58:43 ssh,debug,packet 0014 7373 682d 7273 612c 7273 612d 7368
    15:58:43 ssh,debug,packet 6132 2d32 3536 0000 0020 6165 7331 3238
    15:58:43 ssh,debug,packet 2d63 7472 2c61 6573 3139 322d 6374 722c
    15:58:43 ssh,debug,packet 6165 7332 3536 2d63 7472 0000 0020 6165
    15:58:43 ssh,debug,packet 7331 3238 2d63 7472 2c61 6573 3139 322d
    15:58:43 ssh,debug,packet 6374 722c 6165 7332 3536 2d63 7472 0000
    15:58:43 ssh,debug,packet 000d 686d 6163 2d73 6861 322d 3235 3600
    15:58:43 ssh,debug,packet 0000 0d68 6d61 632d 7368 6132 2d32 3536
    15:58:43 ssh,debug,packet 0000 0004 6e6f 6e65 0000 0004 6e6f 6e65
    15:58:43 ssh,debug,packet 0000 0000 0000 0000 0000 0000 00ce e1a3
    15:58:43 ssh,debug,packet a3b7 60d5 b48e a29d
    15:58:43 ssh,debug,packet --------------------
    15:58:43 ssh,debug,packet ----- recieved -----
    15:58:43 ssh,debug,packet => offset:190 [0x190]
    15:58:43 ssh,debug,packet => size:100 [0x100]
    15:58:43 ssh,debug,packet 0000 018c 0a14 4b51 eee4 80b7 c3f0 3d4b
    15:58:43 ssh,debug,packet 2c6c 61b6 c876 0000 0054 6469 6666 6965
    15:58:43 ssh,debug,packet 2d68 656c 6c6d 616e 2d67 726f 7570 3134
    15:58:43 ssh,debug,packet 2d73 6861 312c 6563 6468 2d73 6861 322d
    15:58:43 ssh,debug,packet 6e69 7374 7032 3536 2c65 6364 682d 7368
    15:58:43 ssh,debug,packet 6132 2d6e 6973 7470 3338 342c 6563 6468
    15:58:43 ssh,debug,packet 2d73 6861 322d 6e69 7374 7035 3231 0000
    15:58:43 ssh,debug,packet 0027 6563 6473 612d 7368 6132 2d6e 6973
    15:58:43 ssh,debug,packet 7470 3338 342c 6563 6473 612d 7368 6132
    15:58:43 ssh,debug,packet 2d6e 6973 7470 3338 3400 0000 3461 6573
    15:58:43 ssh,debug,packet 3235 362d 6362 632c 6165 7331 3932 2d63
    15:58:43 ssh,debug,packet 6263 2c33 6465 732d 6362 632c 6165 7331
    15:58:43 ssh,debug,packet 3238 2d63 6263 2c61 6573 3132 382d 6374
    15:58:43 ssh,debug,packet 7200 0000 3461 6573 3235 362d 6362 632c
    15:58:43 ssh,debug,packet 6165 7331 3932 2d63 6263 2c33 6465 732d
    15:58:43 ssh,debug,packet 6362 632c 6165 7331 3238 2d63 6263 2c61
    15:58:43 ssh,debug,packet --------------------
    15:58:43 ssh,debug host key algo: ecdsa-sha2-nistp384,ecdsa-sha2-nistp384
    15:58:43 ssh,debug kex algo: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    15:58:43 ssh,debug enc algo CS: aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc,aes128-ctr
    15:58:43 ssh,debug mac algo CS: hmac-sha2-256,hmac-sha2-512
    15:58:43 ssh,debug comp algo CS: none,zlib@openssh.com
    15:58:43 ssh,debug packet follows: 0
    15:58:43 ssh,debug agreed on: can't agree on:
    15:58:43 ssh,debug cl: diffie-hellman-group-exchange-sha256
    15:58:43 ssh,debug sl: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    15:58:43 ssh,debug code 0x0200000b closing..
    15:58:43 ssh,debug,packet packet create: 1
    15:58:43 ssh,debug,packet ----- sending -----
    15:58:43 ssh,debug,packet => offset:24 [0x18]
    15:58:43 ssh,debug,packet => size:18 [0x18]
    15:58:43 ssh,debug,packet 0000 0014 0601 0000 000b 0000 0000 0000
    15:58:43 ssh,debug,packet 0000 f150 8c23 ad43
    15:58:43 ssh,debug,packet --------------------
    15:58:43 ssh,debug transport state: 3 --> 0
    15:58:43 ssh,debug closing connection: <> 192.168.1.1:22 (10)


    What must i set on junos, to make an ssh connection go (safely)

    Problem is:
    15:58:43 ssh,debug cl: diffie-hellman-group-exchange-sha256
    15:58:43 ssh,debug sl: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    15:58:43 ssh,debug code 0x0200000b closing..

    What can i do, to make SSH to JunOS possible?

    I Think, diffie-hellman-group-exchange-sha256  is not possible in FIPS mode.
    tanks
    Christian

    ------------------------------
    CHRISTIAN KNOEFEL
    ------------------------------