[j-nsp] authentication failure in case of configuration archival over scp

Tue Oct 27 14:45:10 EDT 2015

keyboard-interactive vs. password authentication.  They may "feel" the
same but they're not.  I'd check which is going on, and maybe try
configuring the server for the other.

On Mon, Oct 26, 2015 at 4:12 PM, Martin T <m4rtntns at gmail.com> wrote:
> Stacy,
>
> I configured SSH server(OpenSSH) to log both the user name and
> password for all the successful and unsuccessful authorization
> attempts and turned out, that Juniper router sends an empty string as
> a password. I guess Junos uses FreeBSD scp utility for configuration
> archival if following configuration is used:
>
> configuration {
>     transfer-on-commit;
>     archive-sites {
>         "scp://juniper@backupserver:/home/juniper/configbackups"
> password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA
>     }
> }
>
>
> If yes, then Junos probably provides an empty password string to scp.
> Underlying XML also holds the correct obfuscated password, i.e. as far
> as I can tell, the password in configuration is correct. I also tried
> with other passwords, but the router still sends an empty string. How
> to troubleshoot this further? Has anyone seen such behavior(possibly a
> bug) before?
>
>
> thanks,
> Martin
>
> On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith <stacy at acm.org> wrote:
>>
>>> On Oct 21, 2015, at 10:16 AM, Martin T <m4rtntns at gmail.com> wrote:
>>>
>>> SSH server log tells that "error: PAM: Authentication failure for juniper from r1".
>>
>>> What might cause this?
>>
>> Assuming the Junos version has not changed on the router, have there been any changes to the SSH server, or the OS, on backupserver (potentially including "security patches")?
>>
>> Assuming OpenSSH, you may want to "man sshd_config" and look into the various <Method>Authentication settings as well as the UsePAM. I suspect some recent upgrade may have changed the default value of some of these settings.
>>
>> I would normally suggest changing the client's config to interoperate with the server, but since that's not easy to do on a Junos device, you might look at changing the server config.
>>
>> --Stacy
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler