Management

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SSH to JunOS in FIPS mode

    Posted 01-16-2022 15:08
    Hi,

    My MX is in FIPS mode.

    I try to SSH from an Device behind.
    But no SSH is possible.

    15:58:41 system,info log rule added by admin
    15:58:43 ssh,debug transport state: 0 --> 1
    15:58:43 ssh,debug transport state: 1 --> 2
    15:58:43 ssh,debug,packet sending string
    15:58:43 ssh,debug,packet SSH-2.0-ROSSSH\r
    15:58:43 ssh,debug,packet
    15:58:43 ssh,debug client version: SSH-2.0-OpenSSH_7.5
    15:58:43 ssh,debug transport state: 2 --> 3
    15:58:43 ssh,debug,packet packet create: 20
    15:58:43 ssh,debug,packet ----- sending -----
    15:58:43 ssh,debug,packet => offset:232 [0xe8]
    15:58:43 ssh,debug,packet => size:e8 [0xe8]
    15:58:43 ssh,debug,packet 0000 00e4 0b14 9928 1cb2 731e 61f0 e7fe
    15:58:43 ssh,debug,packet 11c9 cfc1 dfd0 0000 0024 6469 6666 6965
    15:58:43 ssh,debug,packet 2d68 656c 6c6d 616e 2d67 726f 7570 2d65
    15:58:43 ssh,debug,packet 7863 6861 6e67 652d 7368 6132 3536 0000
    15:58:43 ssh,debug,packet 0014 7373 682d 7273 612c 7273 612d 7368
    15:58:43 ssh,debug,packet 6132 2d32 3536 0000 0020 6165 7331 3238
    15:58:43 ssh,debug,packet 2d63 7472 2c61 6573 3139 322d 6374 722c
    15:58:43 ssh,debug,packet 6165 7332 3536 2d63 7472 0000 0020 6165
    15:58:43 ssh,debug,packet 7331 3238 2d63 7472 2c61 6573 3139 322d
    15:58:43 ssh,debug,packet 6374 722c 6165 7332 3536 2d63 7472 0000
    15:58:43 ssh,debug,packet 000d 686d 6163 2d73 6861 322d 3235 3600
    15:58:43 ssh,debug,packet 0000 0d68 6d61 632d 7368 6132 2d32 3536
    15:58:43 ssh,debug,packet 0000 0004 6e6f 6e65 0000 0004 6e6f 6e65
    15:58:43 ssh,debug,packet 0000 0000 0000 0000 0000 0000 00ce e1a3
    15:58:43 ssh,debug,packet a3b7 60d5 b48e a29d
    15:58:43 ssh,debug,packet --------------------
    15:58:43 ssh,debug,packet ----- recieved -----
    15:58:43 ssh,debug,packet => offset:190 [0x190]
    15:58:43 ssh,debug,packet => size:100 [0x100]
    15:58:43 ssh,debug,packet 0000 018c 0a14 4b51 eee4 80b7 c3f0 3d4b
    15:58:43 ssh,debug,packet 2c6c 61b6 c876 0000 0054 6469 6666 6965
    15:58:43 ssh,debug,packet 2d68 656c 6c6d 616e 2d67 726f 7570 3134
    15:58:43 ssh,debug,packet 2d73 6861 312c 6563 6468 2d73 6861 322d
    15:58:43 ssh,debug,packet 6e69 7374 7032 3536 2c65 6364 682d 7368
    15:58:43 ssh,debug,packet 6132 2d6e 6973 7470 3338 342c 6563 6468
    15:58:43 ssh,debug,packet 2d73 6861 322d 6e69 7374 7035 3231 0000
    15:58:43 ssh,debug,packet 0027 6563 6473 612d 7368 6132 2d6e 6973
    15:58:43 ssh,debug,packet 7470 3338 342c 6563 6473 612d 7368 6132
    15:58:43 ssh,debug,packet 2d6e 6973 7470 3338 3400 0000 3461 6573
    15:58:43 ssh,debug,packet 3235 362d 6362 632c 6165 7331 3932 2d63
    15:58:43 ssh,debug,packet 6263 2c33 6465 732d 6362 632c 6165 7331
    15:58:43 ssh,debug,packet 3238 2d63 6263 2c61 6573 3132 382d 6374
    15:58:43 ssh,debug,packet 7200 0000 3461 6573 3235 362d 6362 632c
    15:58:43 ssh,debug,packet 6165 7331 3932 2d63 6263 2c33 6465 732d
    15:58:43 ssh,debug,packet 6362 632c 6165 7331 3238 2d63 6263 2c61
    15:58:43 ssh,debug,packet --------------------
    15:58:43 ssh,debug host key algo: ecdsa-sha2-nistp384,ecdsa-sha2-nistp384
    15:58:43 ssh,debug kex algo: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    15:58:43 ssh,debug enc algo CS: aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc,aes128-ctr
    15:58:43 ssh,debug mac algo CS: hmac-sha2-256,hmac-sha2-512
    15:58:43 ssh,debug comp algo CS: none,zlib@openssh.com
    15:58:43 ssh,debug packet follows: 0
    15:58:43 ssh,debug agreed on: can't agree on:
    15:58:43 ssh,debug cl: diffie-hellman-group-exchange-sha256
    15:58:43 ssh,debug sl: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    15:58:43 ssh,debug code 0x0200000b closing..
    15:58:43 ssh,debug,packet packet create: 1
    15:58:43 ssh,debug,packet ----- sending -----
    15:58:43 ssh,debug,packet => offset:24 [0x18]
    15:58:43 ssh,debug,packet => size:18 [0x18]
    15:58:43 ssh,debug,packet 0000 0014 0601 0000 000b 0000 0000 0000
    15:58:43 ssh,debug,packet 0000 f150 8c23 ad43
    15:58:43 ssh,debug,packet --------------------
    15:58:43 ssh,debug transport state: 3 --> 0
    15:58:43 ssh,debug closing connection: <> 192.168.1.1:22 (10)


    What must i set on junos, to make an ssh connection go (safely)

    Problem is:
    15:58:43 ssh,debug cl: diffie-hellman-group-exchange-sha256
    15:58:43 ssh,debug sl: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    15:58:43 ssh,debug code 0x0200000b closing..

    What can i do, to make SSH to JunOS possible?

    I Think, diffie-hellman-group-exchange-sha256  is not possible in FIPS mode.
    tanks
    Christian

    ------------------------------
    CHRISTIAN KNOEFEL
    ------------------------------