[j-nsp] authentication failure in case of configuration archival over scp

[Martin T]

Stacy,

I configured SSH server(OpenSSH) to log both the user name and
password for all the successful and unsuccessful authorization
attempts and turned out, that Juniper router sends an empty string as
a password. I guess Junos uses FreeBSD scp utility for configuration
archival if following configuration is used:

configuration {
    transfer-on-commit;
    archive-sites {
        "scp://juniper@backupserver:/home/juniper/configbackups"
password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
    }
}


If yes, then Junos probably provides an empty password string to scp.
Underlying XML also holds the correct obfuscated password, i.e. as far
as I can tell, the password in configuration is correct. I also tried
with other passwords, but the router still sends an empty string. How
to troubleshoot this further? Has anyone seen such behavior(possibly a
bug) before?


thanks,
Martin

On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith <stacy at acm.org> wrote:
>
>> On Oct 21, 2015, at 10:16 AM, Martin T <m4rtntns at gmail.com> wrote:
>>
>> SSH server log tells that "error: PAM: Authentication failure for juniper from r1".
>
>> What might cause this?
>
> Assuming the Junos version has not changed on the router, have there been any changes to the SSH server, or the OS, on backupserver (potentially including "security patches")?
>
> Assuming OpenSSH, you may want to "man sshd_config" and look into the various <Method>Authentication settings as well as the UsePAM. I suspect some recent upgrade may have changed the default value of some of these settings.
>
> I would normally suggest changing the client's config to interoperate with the server, but since that's not easy to do on a Junos device, you might look at changing the server config.
>
> --Stacy
>