Re: [j-nsp] authentication failure in case of configuration archival over scp

2015-10-27 Thread Michael Loftis 
keyboard-interactive vs. password authentication.  They may "feel" the
same but they're not.  I'd check which is going on, and maybe try
configuring the server for the other.

On Mon, Oct 26, 2015 at 4:12 PM, Martin T  wrote:
> Stacy,
>
> I configured SSH server(OpenSSH) to log both the user name and
> password for all the successful and unsuccessful authorization
> attempts and turned out, that Juniper router sends an empty string as
> a password. I guess Junos uses FreeBSD scp utility for configuration
> archival if following configuration is used:
>
> configuration {
> transfer-on-commit;
> archive-sites {
> "scp://juniper@backupserver:/home/juniper/configbackups"
> password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
> }
> }
>
>
> If yes, then Junos probably provides an empty password string to scp.
> Underlying XML also holds the correct obfuscated password, i.e. as far
> as I can tell, the password in configuration is correct. I also tried
> with other passwords, but the router still sends an empty string. How
> to troubleshoot this further? Has anyone seen such behavior(possibly a
> bug) before?
>
>
> thanks,
> Martin
>
> On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith  wrote:
>>
>>> On Oct 21, 2015, at 10:16 AM, Martin T  wrote:
>>>
>>> SSH server log tells that "error: PAM: Authentication failure for juniper 
>>> from r1".
>>
>>> What might cause this?
>>
>> Assuming the Junos version has not changed on the router, have there been 
>> any changes to the SSH server, or the OS, on backupserver (potentially 
>> including "security patches")?
>>
>> Assuming OpenSSH, you may want to "man sshd_config" and look into the 
>> various Authentication settings as well as the UsePAM. I suspect 
>> some recent upgrade may have changed the default value of some of these 
>> settings.
>>
>> I would normally suggest changing the client's config to interoperate with 
>> the server, but since that's not easy to do on a Junos device, you might 
>> look at changing the server config.
>>
>> --Stacy
>>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] authentication failure in case of configuration archival over scp

2015-10-26 Thread Martin T 
Stacy,

I configured SSH server(OpenSSH) to log both the user name and
password for all the successful and unsuccessful authorization
attempts and turned out, that Juniper router sends an empty string as
a password. I guess Junos uses FreeBSD scp utility for configuration
archival if following configuration is used:

configuration {
transfer-on-commit;
archive-sites {
"scp://juniper@backupserver:/home/juniper/configbackups"
password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
}
}


If yes, then Junos probably provides an empty password string to scp.
Underlying XML also holds the correct obfuscated password, i.e. as far
as I can tell, the password in configuration is correct. I also tried
with other passwords, but the router still sends an empty string. How
to troubleshoot this further? Has anyone seen such behavior(possibly a
bug) before?


thanks,
Martin

On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith  wrote:
>
>> On Oct 21, 2015, at 10:16 AM, Martin T  wrote:
>>
>> SSH server log tells that "error: PAM: Authentication failure for juniper 
>> from r1".
>
>> What might cause this?
>
> Assuming the Junos version has not changed on the router, have there been any 
> changes to the SSH server, or the OS, on backupserver (potentially including 
> "security patches")?
>
> Assuming OpenSSH, you may want to "man sshd_config" and look into the various 
> Authentication settings as well as the UsePAM. I suspect some recent 
> upgrade may have changed the default value of some of these settings.
>
> I would normally suggest changing the client's config to interoperate with 
> the server, but since that's not easy to do on a Junos device, you might look 
> at changing the server config.
>
> --Stacy
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] authentication failure in case of configuration archival over scp

2015-10-21 Thread Martin T 
Hi,

I have a Juniper router(Junos 10.4R12.4) which should archive its
configuration over scp in case of commit:

configuration {
transfer-on-commit;
archive-sites {
"scp://juniper@backupserver:/home/juniper/configbackups"
password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
}
}

In addition, it has SSH server public-key under "ssh-known-hosts".
This setup worked fine for a while, but all of the sudden router is no
longer able to scp its configuration to server. Router simply logs
that "transfer-file failed to transfer" and SSH server log tells that
"error: PAM: Authentication failure for juniper from r1". If I execute
scp from shell("start shell sh"), then there are no problems:

$ scp /var/transfer/config/r1_juniper.conf.gz_20151021_135546
juniper@backupserver:/home/juniper/configbackups
Password:
r1_juniper.conf.gz_20151021_135546


100%   64KB  64.4KB/s   00:00
$


What might cause this?


thanks,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] authentication failure in case of configuration archival over scp

2015-10-21 Thread Stacy W. Smith 

> On Oct 21, 2015, at 10:16 AM, Martin T  wrote:
> 
> SSH server log tells that "error: PAM: Authentication failure for juniper 
> from r1".

> What might cause this?

Assuming the Junos version has not changed on the router, have there been any 
changes to the SSH server, or the OS, on backupserver (potentially including 
"security patches")?

Assuming OpenSSH, you may want to "man sshd_config" and look into the various 
Authentication settings as well as the UsePAM. I suspect some recent 
upgrade may have changed the default value of some of these settings.

I would normally suggest changing the client's config to interoperate with the 
server, but since that's not easy to do on a Junos device, you might look at 
changing the server config.

--Stacy

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp