junos_exporter icon indicating copy to clipboard operation
junos_exporter copied to clipboard

Published 20 hours ago verified publisher icon czerwonk

SSH KeyExchange issue with Junos 12.3

Open mweinelt opened this issue 3 years ago • 4 comments

This is junos exporter: :zap:

image

The SSHD on the EX2200 supports the following key exchange methods:

% ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
[email protected]

This results in a handshake failure.

This is openssh from the terminal: :heavy_check_mark:

image

mweinelt avatar Sep 10 '21 14:09 mweinelt

same here :(

lgerhold avatar Oct 08 '21 12:10 lgerhold

Faced same problem, also junos 12. As workaround " set system services ssh ciphers [[email protected] aes256-cbc aes256-ctr] " works. Reason of issue (possibly) [email protected] and [email protected] is broken in junos12.

nuclearcat avatar Oct 25 '21 03:10 nuclearcat

That's not even a possible scenario here, we have no aesgcm in our supported cipher list.

% ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
[email protected]
aes128-ctr
aes192-ctr
aes256-ctr
[email protected]

The exporters cipher list is visible here:

handshake failed: ssh: no common algorithm for client to server cipher; client offered: [[email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr]

All of the given ciphers work when configured individually, so I wonder whats up with that.

[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

Uh, so it advertises aesgcm and the config validation does not let me disable it.

# set ciphers [ ?  
Possible completions:
  3des-cbc             Tripple DES in CBC mode
  ]                    Close the current set
  aes128-cbc           128-bit AES with Cipher Block Chaining
  aes128-ctr           128-bit AES with Counter Mode
  aes192-cbc           192-bit AES with Cipher Block Chaining
  aes192-ctr           192-bit AES with Counter Mode
  aes256-cbc           256-bit AES with Cipher Block Chaining
  aes256-ctr           256-bit AES with Counter Mode
  arcfour              128-bit RC4 with Cipher Block Chaining 
  arcfour128           128-bit RC4 with Cipher Block Chaining 
  arcfour256           256-bit RC4 with Cipher Block Chaining 
  blowfish-cbc         128-bit Blowfish with Cipher Block Chaining 
  cast128-cbc          128-bit CAST with Cipher Block Chaining 
  [email protected]  ChaCha20 stream cipher and Poly1305 MAC
{master:0}[edit system services ssh]

So setting any explicit cipher list will basically fix this. Great.

mweinelt avatar Oct 29 '21 16:10 mweinelt

Maybe someone can open bug report for Juniper? So next release they will fix this bug. (I'm not familiar with their support)

nuclearcat avatar Oct 31 '21 11:10 nuclearcat