[j-nsp] aes-gcm SSH ciphers broken in JunOS >=12.3R12-S13.1

[Tore Anderson]

Hello,

After upgrading a few old EX switches from 12.3R12-S12 to 12.3R12-S14 I found that I could no longer log in using SSH.

When the login attempt is made, the switch logs:

sshd[1521]: fatal: ssh_dispatch_run_fatal: Connection to <client ip address>: unexpected internal error [preauth]

The reason appears to be the cipher used.

The SSH server in JunOS 12.3R12-S12 advertises support for the following ciphers:

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se

While 12.3R12-S14 advertises:

debug2: ciphers ctos: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se

Note the addition of aes128-gcm at openssh.com and aes256-gcm at openssh.com. These are advertised by 12.3R12-S13.1 as well.

The Fedora OpenSSH client will use aes256-gcm at openssh.com by default when supported by the server, and this fails with the above error message. So does aes128-gcm at openssh.com.

Explicitly selecting another cipher works, e.g.:

ssh -o Ciphers=chacha20-poly1305 at openssh.com <switch>

Didn't find any KB article about this issue, so I thought I'd post here in case any Juniper employee would like to report it internally, as I'm guessing others will run into the same issue eventually. (My old switches are long out of support, so I can't open a JTAC case.)

Tore