Re: [j-nsp] authentication failure in case of configuration archival over scp
keyboard-interactive vs. password authentication. They may "feel" the same but they're not. I'd check which is going on, and maybe try configuring the server for the other. On Mon, Oct 26, 2015 at 4:12 PM, Martin Twrote: > Stacy, > > I configured SSH server(OpenSSH) to log both the user name and > password for all the successful and unsuccessful authorization > attempts and turned out, that Juniper router sends an empty string as > a password. I guess Junos uses FreeBSD scp utility for configuration > archival if following configuration is used: > > configuration { > transfer-on-commit; > archive-sites { > "scp://juniper@backupserver:/home/juniper/configbackups" > password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA > } > } > > > If yes, then Junos probably provides an empty password string to scp. > Underlying XML also holds the correct obfuscated password, i.e. as far > as I can tell, the password in configuration is correct. I also tried > with other passwords, but the router still sends an empty string. How > to troubleshoot this further? Has anyone seen such behavior(possibly a > bug) before? > > > thanks, > Martin > > On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith wrote: >> >>> On Oct 21, 2015, at 10:16 AM, Martin T wrote: >>> >>> SSH server log tells that "error: PAM: Authentication failure for juniper >>> from r1". >> >>> What might cause this? >> >> Assuming the Junos version has not changed on the router, have there been >> any changes to the SSH server, or the OS, on backupserver (potentially >> including "security patches")? >> >> Assuming OpenSSH, you may want to "man sshd_config" and look into the >> various Authentication settings as well as the UsePAM. I suspect >> some recent upgrade may have changed the default value of some of these >> settings. >> >> I would normally suggest changing the client's config to interoperate with >> the server, but since that's not easy to do on a Junos device, you might >> look at changing the server config. >> >> --Stacy >> > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] authentication failure in case of configuration archival over scp
Stacy, I configured SSH server(OpenSSH) to log both the user name and password for all the successful and unsuccessful authorization attempts and turned out, that Juniper router sends an empty string as a password. I guess Junos uses FreeBSD scp utility for configuration archival if following configuration is used: configuration { transfer-on-commit; archive-sites { "scp://juniper@backupserver:/home/juniper/configbackups" password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA } } If yes, then Junos probably provides an empty password string to scp. Underlying XML also holds the correct obfuscated password, i.e. as far as I can tell, the password in configuration is correct. I also tried with other passwords, but the router still sends an empty string. How to troubleshoot this further? Has anyone seen such behavior(possibly a bug) before? thanks, Martin On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smithwrote: > >> On Oct 21, 2015, at 10:16 AM, Martin T wrote: >> >> SSH server log tells that "error: PAM: Authentication failure for juniper >> from r1". > >> What might cause this? > > Assuming the Junos version has not changed on the router, have there been any > changes to the SSH server, or the OS, on backupserver (potentially including > "security patches")? > > Assuming OpenSSH, you may want to "man sshd_config" and look into the various > Authentication settings as well as the UsePAM. I suspect some recent > upgrade may have changed the default value of some of these settings. > > I would normally suggest changing the client's config to interoperate with > the server, but since that's not easy to do on a Junos device, you might look > at changing the server config. > > --Stacy > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] authentication failure in case of configuration archival over scp
Hi, I have a Juniper router(Junos 10.4R12.4) which should archive its configuration over scp in case of commit: configuration { transfer-on-commit; archive-sites { "scp://juniper@backupserver:/home/juniper/configbackups" password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA } } In addition, it has SSH server public-key under "ssh-known-hosts". This setup worked fine for a while, but all of the sudden router is no longer able to scp its configuration to server. Router simply logs that "transfer-file failed to transfer" and SSH server log tells that "error: PAM: Authentication failure for juniper from r1". If I execute scp from shell("start shell sh"), then there are no problems: $ scp /var/transfer/config/r1_juniper.conf.gz_20151021_135546 juniper@backupserver:/home/juniper/configbackups Password: r1_juniper.conf.gz_20151021_135546 100% 64KB 64.4KB/s 00:00 $ What might cause this? thanks, Martin ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] authentication failure in case of configuration archival over scp
> On Oct 21, 2015, at 10:16 AM, Martin Twrote: > > SSH server log tells that "error: PAM: Authentication failure for juniper > from r1". > What might cause this? Assuming the Junos version has not changed on the router, have there been any changes to the SSH server, or the OS, on backupserver (potentially including "security patches")? Assuming OpenSSH, you may want to "man sshd_config" and look into the various Authentication settings as well as the UsePAM. I suspect some recent upgrade may have changed the default value of some of these settings. I would normally suggest changing the client's config to interoperate with the server, but since that's not easy to do on a Junos device, you might look at changing the server config. --Stacy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp