Author Topic: Cannot SSH into SSG from Mac OS X 10.5.5  (Read 3284 times)

olivierj

  • Newbie
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
    • Infoware
Cannot SSH into SSG from Mac OS X 10.5.5
« on: September 29, 2008, 07:35:32 am »
Ever since I upgraded to OS X 10.5.5 in cannot ssh to Juniper boxes. Anyone encountered such issue ? Below is my debug of the connection:

OJs-Powerbook:~ olivierj$ ssh -vvv netscreen@10.0.0.24
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.0.24 [10.0.0.24] port 22.
debug1: Connection established.
debug1: identity file /Users/olivierj/.ssh/identity type -1
debug1: identity file /Users/olivierj/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /Users/olivierj/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/olivierj/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version NetScreen
debug1: no match: NetScreen
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client 3des-cbc hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server 3des-cbc hmac-sha1 none
debug2: dh_gen_key: priv key bits set: 184/384
debug2: bits set: 505/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /Users/olivierj/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 52
debug1: Host '10.0.0.24' is known and matches the DSA host key.
debug1: Found key in /Users/olivierj/.ssh/known_hosts:52
debug2: bits set: 504/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/olivierj/.ssh/id_dsa (0x103290)
debug2: key: /Users/olivierj/.ssh/identity (0x0)
debug2: key: /Users/olivierj/.ssh/id_rsa (0x0)
debug1: Authentications that can continue: password
debug3: start over, passed a different list password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
netscreen@10.0.0.24's password:
debug3: packet_send2: adding 56 (len 64 padlen 8 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 2048 rmax 1024
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r2 i0/0 o0/0 fd 4/5 cfd -1)

debug3: channel 0: close_fds r 4 w 5 e 6 c -1
Connection to 10.0.0.24 closed by remote host.
Connection to 10.0.0.24 closed.
Transferred: sent 1592, received 912 bytes, in 0.0 seconds
Bytes per second: sent 660272.1, received 378246.3
debug1: Exit status -1


Here is the output of a "debug ssh all" from the SSG

SSG550(M)-> get db stream
## 2008-09-29 15:44:48 : SSH message: OUT - SSH_MSG_CHANNEL_DATA(94)
## 2008-09-29 15:44:48 : SSH netio: send(s=25, l=52) = 52
## 2008-09-29 15:44:48 : SSH netio: send(25,,52,) = 52
## 2008-09-29 15:45:04 : --- send_init_string()
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_FREE(0) -> SSH_STATE_INIT(1)
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=64) = 21
## 2008-09-29 15:45:04 : SSH: >>> process_init_string()
## 2008-09-29 15:45:04 : SSH: --- process_init_string() init_string='SSH-2.0-OpenSSH_5.1
' : bytes=21
## 2008-09-29 15:45:04 : SSH: >>> ssh_remove_cr_nl(str=0x1b0bb95c)
## 2008-09-29 15:45:04 : SSH: --- ssh_remove_cr_nl() :  nl=0x1b0bb970 : cr=0x1b0bb96f : nl_len=20 : cr_len=19
## 2008-09-29 15:45:04 : SSH: <<< ssh_remove_cr_nl(*bytes_removed=2) = 19
## 2008-09-29 15:45:04 : SSH: <<< process_init_string() = 1
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_INIT(1) -> SSH_STATE_SEND_NEG(2)
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=64) = 64
## 2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_KEXINIT(20)
## 2008-09-29 15:45:04 : SSH netio: send(s=26, l=152) = 152
## 2008-09-29 15:45:04 : SSH netio: send(26,,152,) = 152
## 2008-09-29 15:45:04 : SSH: >>> ssh_remove_cr_nl(str=0x1af18514)
## 2008-09-29 15:45:04 : SSH: --- ssh_remove_cr_nl() :  nl=0x1af18526 : cr=0x1af18525 : nl_len=18 : cr_len=17
## 2008-09-29 15:45:04 : SSH: <<< ssh_remove_cr_nl(*bytes_removed=2) = 17
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_SEND_NEG(2) -> SSH_STATE_RECV_NEG(3)
## 2008-09-29 15:45:04 : extending recv() buffer
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=200 : packet_len=788
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0
## 2008-09-29 15:45:04 : extending recv() buffer
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=336 : packet_len=788
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0
## 2008-09-29 15:45:04 : extending recv() buffer
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=472 : packet_len=788
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0
## 2008-09-29 15:45:04 : extending recv() buffer
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=608 : packet_len=788
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0
## 2008-09-29 15:45:04 : extending recv() buffer
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 136
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=744 : packet_len=788
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 0
## 2008-09-29 15:45:04 : extending recv() buffer
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=136) = 48
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=792 : packet_len=788
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : padding_len =8 : message_type=20
## 2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_KEXINIT(20)
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 1
## 2008-09-29 15:45:04 : --- process_kex_neg()
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_RECV_NEG(3) -> SSH_STATE_RECV_DH_KEX(5)
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 144
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=144 : packet_len=140
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : padding_len =6 : message_type=30
## 2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_KEXDH_INIT(30)
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 1
## 2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_KEXDH_REPLY(31)
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_RECV_DH_KEX(5) -> SSH_STATE_SEND_DH_KEX(4)
## 2008-09-29 15:45:04 : SSH netio: send(s=26, l=640) = 640
## 2008-09-29 15:45:04 : SSH netio: send(26,,640,) = 640
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_SEND_DH_KEX(4) -> SSH_STATE_SEND_NEW_KEYS(7)
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 16
## 2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_NEWKEYS(21)
## 2008-09-29 15:45:04 : SSH netio: send(s=26, l=16) = 16
## 2008-09-29 15:45:04 : SSH netio: send(26,,16,) = 16
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_SEND_NEW_KEYS(7) -> SSH_STATE_RECV_NEW_KEYS(6)
## 2008-09-29 15:45:04 : SSH netio: Another message,In_enc_buffer# alloc 880, end 16,offset 0
## 2008-09-29 15:45:04 : SSH: >>> process_binary_frame()
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : buf_len=16 : packet_len=12
## 2008-09-29 15:45:04 : SSH: --- process_binary_frame() : padding_len =10 : message_type=21
## 2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_NEWKEYS(21)
## 2008-09-29 15:45:04 : SSH: <<< process_binary_frame() = 1
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_RECV_NEW_KEYS(6) -> SSH_STATE_BANNER(8)
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 52
## 2008-09-29 15:45:04 : SSH state trans: SSH_STATE_BANNER(8) -> SSH_STATE_CONNECTING(9)
## 2008-09-29 15:45:04 : SSH netio: Another message,In_enc_buffer# alloc 880, end 52,offset 0
## 2008-09-29 15:45:04 : decrypted message length 28
## 2008-09-29 15:45:04 : SSH netio: packet decrypted..In_enc_buffer# alloc 880, end 52,offset 32
## 2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_SERVICE_REQUEST(5)
## 2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_SERVICE_ACCEPT(6)
## 2008-09-29 15:45:04 : SSH netio: send(s=26, l=52) = 52
## 2008-09-29 15:45:04 : SSH netio: send(26,,52,) = 52
## 2008-09-29 15:45:04 : SSH netio: recv(s=26, l=880) = 76
## 2008-09-29 15:45:04 : decrypted message length 52
## 2008-09-29 15:45:04 : SSH netio: packet decrypted..In_enc_buffer# alloc 880, end 76,offset 56
## 2008-09-29 15:45:04 : SSH message: IN - SSH_MSG_USERAUTH_REQUEST(50)
## 2008-09-29 15:45:04 : SSH auth: >>> process_auth_request(ip=192.229.171.1, port=61121)
## 2008-09-29 15:45:04 : SSH auth: --- process_auth_request() : admin=netscreen service=ssh-connection method=none
## 2008-09-29 15:45:04 : SSH message: OUT - SSH_MSG_USERAUTH_FAILURE(51)
## 2008-09-29 15:45:04 : SSH auth: --- ssh_build_auth_fail() : auth_types=password
## 2008-09-29 15:45:04 : SSH netio: send(s=26, l=44) = 44
## 2008-09-29 15:45:04 : SSH netio: send(26,,44,) = 44
## 2008-09-29 15:45:04 : SSH auth: <<< process_auth_request(aaid=0) = 0
## 2008-09-29 15:45:09 : SSH netio: recv(s=26, l=880) = 148
## 2008-09-29 15:45:09 : decrypted message length 124
## 2008-09-29 15:45:09 : SSH netio: packet decrypted..In_enc_buffer# alloc 880, end 148,offset 128
## 2008-09-29 15:45:09 : SSH message: IN - SSH_MSG_USERAUTH_REQUEST(50)
## 2008-09-29 15:45:09 : SSH auth: >>> process_auth_request(ip=192.229.171.1, port=61121)
## 2008-09-29 15:45:09 : SSH auth: --- process_auth_request() : admin=netscreen service=ssh-connection method=password
## 2008-09-29 15:45:09 : SSH auth: --- password auth: password = 1a839c44 : length=10 : failure=0
## 2008-09-29 15:45:09 : SSH auth: >>> sshv2_auth(name=netscreen)
## 2008-09-29 15:45:09 : SSH auth: <<< sshv2_auth(aaid=9) = 1
## 2008-09-29 15:45:09 : SSH message: OUT - SSH_MSG_USERAUTH_SUCCESS(52)
## 2008-09-29 15:45:09 : SSH netio: send(s=26, l=36) = 36
## 2008-09-29 15:45:09 : SSH netio: send(26,,36,) = 36
## 2008-09-29 15:45:09 : SSH auth: <<< process_auth_request(aaid=9) = 1
## 2008-09-29 15:45:09 : SSH netio: recv(s=26, l=880) = 128
## 2008-09-29 15:45:09 : decrypted message length 36
## 2008-09-29 15:45:09 : SSH netio: packet decrypted..In_enc_buffer# alloc 880, end 128,offset 40
## 2008-09-29 15:45:09 : SSH message: IN - SSH_MSG_CHANNEL_OPEN(90)
## 2008-09-29 15:45:09 : --- process_channel_open()
## 2008-09-29 15:45:09 : SSH message: OUT - SSH_MSG_CHANNEL_OPEN_CONFIRMATION(91)
## 2008-09-29 15:45:09 : SSH netio: send(s=26, l=52) = 52
## 2008-09-29 15:45:09 : SSH netio: send(26,,52,) = 52
## 2008-09-29 15:45:09 : SSH netio: Another message,In_enc_buffer# alloc 880, end 128,offset 60
## 2008-09-29 15:45:09 : decrypted message length 44
## 2008-09-29 15:45:09 : SSH netio: packet decrypted..In_enc_buffer# alloc 880, end 128,offset 108
## 2008-09-29 15:45:09 : SSH message: IN - unknown message type(80)
## 2008-09-29 15:45:09 : SSH state trans: SSH_STATE_CONNECTING(9) -> SSH_STATE_CLOSE(99)
## 2008-09-29 15:45:09 : SSH netio: recv(s=26, l=880) = 376
## 2008-09-29 15:45:09 : SSH conn: >>> ssh_free_shell()
## 2008-09-29 15:45:09 : SSH conn: <<< ssh_free_shell()
## 2008-09-29 15:45:09 : SSH state trans: SSH_STATE_FREE(0) -> SSH_STATE_FREE(0)
## 2008-09-29 15:45:13 : SSH netio: recv(s=25, l=744) = 44
## 2008-09-29 15:45:13 : decrypted message length 20
## 2008-09-29 15:45:13 : SSH netio: packet decrypted..In_enc_buffer# alloc 744, end 44,offset 24
## 2008-09-29 15:45:13 : SSH message: IN - SSH_MSG_CHANNEL_DATA(94)
## 2008-09-29 15:45:13 : SSH conn: >>> transfer_channel_data_to_application()
## 2008-09-29 15:45:13 : SSH conn: <<< transfer_channel_data_to_application()
SSG550(M)->   
JNSS,JNCIS-FWV

atkinsonr

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Cannot SSH into SSG from Mac OS X 10.5.5
« Reply #1 on: September 30, 2008, 05:32:01 am »
We just had this discussion on forums.juniper.net. Another person recommended this setting:

ssh -oControlMaster=auto

put that in your ssh command and it should work. If you put a -q it will suppress any other error messages. You can also edit your /etc/ssh_config file and put in

ControlMaster    auto

if you want it to be global.

Ron


olivierj

  • Newbie
  • *
  • Posts: 38
  • Karma: +0/-0
    • View Profile
    • Infoware
Re: Cannot SSH into SSG from Mac OS X 10.5.5
« Reply #2 on: September 30, 2008, 06:28:21 am »
Thanks. I just saw it on the forums also.
JNSS,JNCIS-FWV

cryptochrome

  • Guest
Re: Cannot SSH into SSG from Mac OS X 10.5.5
« Reply #3 on: September 30, 2008, 07:42:09 am »
cool. Thanks for that tip. I had a ticket open with Juniper Support and they couldn't solve this.

ZappZero

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Cannot SSH into SSG from Mac OS X 10.5.5
« Reply #4 on: December 24, 2016, 06:59:23 pm »
Sorry for reopening, but even with this workaround, I'm not able to connect to my ssg5 boxes:

Unable to negotiate with x.x.x.x : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

...
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version NetScreen
debug1: no match: NetScreen
debug1: Authenticating to x.x.x.x:22 as 'user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: (no match)
Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

rjuniper

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Cannot SSH into SSG from Mac OS X 10.5.5
« Reply #5 on: March 14, 2017, 11:36:46 am »
Have you tried something like this?:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss

I find that from modern Linux systems that I need to explicitly enable support for older SSH options in order to get into my SSG5 and SSG320 systems.