[c-nsp] cisco ssh login problem

Mike mike-cisconsplist at tiedyenetworks.com
Wed Feb 12 21:27:13 EST 2014 

Hi,

I have become aware of a small issue concerning ssh logins to cisco 
devices - in my case, a 3560g switch.

I have a passwordless login for basic tech access to show various 
outputs, works great. I can ssh -l mycredentials to the switch and I get 
right in.

If I happen to be running with an ssh-agent (storing my ssh keys for 
various devices, for administrative conveience) and I try to ssh into 
said switch, the connection fails.

I have discovered that I can work around the problem by using the following:

SSH_AUTH_SOCK=0 ssh -p 22 -l mycredentials some.network.switch.com

The debug is as follows, first with my ssh agent running on the client 
machine used for the login attempt:

Feb 12 18:11:53.721 PST: SSH1: starting SSH control process
Feb 12 18:11:53.721 PST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Feb 12 18:11:53.746 PST: SSH1: protocol version id is - 
SSH-2.0-OpenSSH_6.0p1 Debian-4
Feb 12 18:11:53.754 PST: SSH2 1: SSH2_MSG_KEXINIT sent
Feb 12 18:11:53.788 PST: SSH2 1: SSH2_MSG_KEXINIT received
Feb 12 18:11:53.788 PST: SSH2:kex: client->server enc:aes128-cbc 
mac:hmac-md5
Feb 12 18:11:53.788 PST: SSH2:kex: server->client enc:aes128-cbc 
mac:hmac-md5
Feb 12 18:11:53.821 PST: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 12 18:11:53.821 PST: SSH2 1: Range sent by client is - 1024 < 1024 < 
8192
Feb 12 18:11:53.821 PST: SSH2 1:  Modulus size established : 1024 bits
Feb 12 18:11:53.855 PST: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 12 18:11:53.855 PST: SSH2 1: SSH2_MSG_KEXDH_INIT received
Feb 12 18:11:54.014 PST: SSH2: kex_derive_keys complete
Feb 12 18:11:54.014 PST: SSH2 1: SSH2_MSG_NEWKEYS sent
Feb 12 18:11:54.014 PST: SSH2 1: waiting for SSH2_MSG_NEWKEYS
Feb 12 18:11:54.048 PST: SSH2 1: SSH2_MSG_NEWKEYS received
Feb 12 18:11:54.308 PST: SSH2 1: Using method = none
Feb 12 18:11:54.341 PST: SSH2 1: Using method = publickey
Feb 12 18:11:54.341 PST: SSH1: password authentication failed for fooldya
Feb 12 18:11:56.380 PST: SSH2 1: Using method = publickey
Feb 12 18:11:56.380 PST: SSH1: password authentication failed for fooldya
Feb 12 18:11:58.410 PST: SSH2 1: Using method = publickey
Feb 12 18:11:58.410 PST: SSH1: password authentication failed for fooldya
Feb 12 18:12:00.415 PST: SSH2 1: authentication failed for userid (code=1)
Feb 12 18:12:00.515 PST: SSH1: Session disconnected - error 0x09



Now that same debug when I use SSH_AUTH_SOCK=0:

Feb 12 18:15:50.829 PST: SSH1: starting SSH control process
Feb 12 18:15:50.829 PST: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
Feb 12 18:15:50.862 PST: SSH1: protocol version id is - 
SSH-2.0-OpenSSH_6.0p1 Debian-4
Feb 12 18:15:50.871 PST: SSH2 1: SSH2_MSG_KEXINIT sent
Feb 12 18:15:50.896 PST: SSH2 1: SSH2_MSG_KEXINIT received
Feb 12 18:15:50.896 PST: SSH2:kex: client->server enc:aes128-cbc 
mac:hmac-md5
Feb 12 18:15:50.904 PST: SSH2:kex: server->client enc:aes128-cbc 
mac:hmac-md5
Feb 12 18:15:50.929 PST: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 12 18:15:50.929 PST: SSH2 1: Range sent by client is - 1024 < 1024 < 
8192
Feb 12 18:15:50.929 PST: SSH2 1:  Modulus size established : 1024 bits
Feb 12 18:15:50.955 PST: SSH2 1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 12 18:15:50.963 PST: SSH2 1: SSH2_MSG_KEXDH_INIT received
Feb 12 18:15:51.122 PST: SSH2: kex_derive_keys complete
Feb 12 18:15:51.122 PST: SSH2 1: SSH2_MSG_NEWKEYS sent
Feb 12 18:15:51.122 PST: SSH2 1: waiting for SSH2_MSG_NEWKEYS
Feb 12 18:15:51.156 PST: SSH2 1: SSH2_MSG_NEWKEYS received
Feb 12 18:15:51.416 PST: SSH2 1: Using method = none
Feb 12 18:15:51.449 PST: SSH2 1: Using method = keyboard-interactive
Feb 12 18:15:51.449 PST: AAA SRV(0000015B): process authen req
Feb 12 18:15:51.449 PST: AAA SRV(0000015B): Authen method=LOCAL
Feb 12 18:15:51.449 PST: AAA/LOCAL/LOGIN(0000015B): no password
Feb 12 18:15:51.449 PST: AAA SRV(0000015B): protocol reply PASS for 
Authentication
Feb 12 18:15:51.449 PST: AAA SRV(0000015B): Return Authentication 
status=PASS
Feb 12 18:15:51.449 PST: SSH2 1: authentication successful for fooldya
Feb 12 18:15:51.483 PST: SSH2 1: channel open request
Feb 12 18:15:51.517 PST: SSH2 1: pty-req request
Feb 12 18:15:51.517 PST: SSH2 1: setting TTY - requested: height 70, 
width 237; set: height 70, width 237
Feb 12 18:15:51.517 PST: SSH2 1: env request
Feb 12 18:15:51.517 PST: SSH2 1: shell request
Feb 12 18:15:51.517 PST: SSH2 1: shell message received
Feb 12 18:15:51.517 PST: SSH2 1: starting shell for vty


I am aware I can set options in my local ssh that applies to these 
devices so I don't have to remember every time, but I was wondering if 
there would be some way for the cisco to override and use 
'keyboard-interactive'?

Mike-

More information about the cisco-nsp mailing list