Comware

 View Only
last person joined: yesterday 

Expand all | Collapse all

HPE 5900AF SSH failes to connect

Jump to Best Answer
This thread has been viewed 64 times
  • 1.  HPE 5900AF SSH failes to connect

    Posted Nov 18, 2021 07:13 AM
    Had to redo the PKI, so deleted all keys, certificates etc

    Have the SSL back with proper issued certificate (offline, because the online SCEP way is just pants!), but completely lost SSH

    dsa/rsa keys got re-created, server is enabled, but all I get from a client is instant disconnect!

    On the switch (console connection) I get:

    >%Nov 18 11:41:10:815 2021 HPE5900-SR1 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.6.2) disconnected from the server.

    [HPE5900-SR1]dis ssh server status
     Stelnet server: Enable
     SSH version : 1.99
     SSH authentication-timeout : 60 second(s)
     SSH server key generating interval : 0 hour(s)
     SSH authentication retries : 3 time(s)
     SFTP server: Disable
     SFTP Server Idle-Timeout: 10 minute(s)
     NETCONF server: Disable
     SCP server: Disable
    ​

    In the config all I have SSH related is:
    ssh server enable
    
    line vty 0 63
     authentication-mode scheme
     user-role network-operator
     protocol inbound ssh
     
     local-user manager class manage
      password hash ********
     service-type ssh http https
    ​

    ssh2 is at default

    [HPE5900-SR1]dis ssh2 algorithm
     Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1
     Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 rsa dsa
     Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm aes128-cbc 3des-cbc aes256-cbc des-cbc
     MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96​


    Anybody any ideas?

    Thanks

    Seb



  • 2.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 18, 2021 08:26 AM
    Hi Seb,

    Do you get password prompt from the switch or SSH connection just drops right away?

    TBH, I don't like username (null) in the  ">%Nov 18 11:41:10:815 2021 HPE5900-SR1 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.6.2) disconnected from the server." message. Did you delete it before posting your question on the forum or the message literally says (null)? If the latter is our case, I guess you need to check your SSH client if it sends correct username.

    Also, how your default domain and radius-scheme configurations look like? Could you share those details as well?






  • 3.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 18, 2021 09:49 AM
    Drops instantly, no window ever comes for input

    The line is exactly as is (with (null)

    No detail of domain and/or radius changed (it works fine for HTTP)

    radius scheme nps
     primary authentication aa.bb.cc.dd key cipher ********************
     primary accounting aa.bb.cc.dd
     key authentication cipher ********************
     key accounting cipher ********************
     user-name-format without-domain
    
    ​radius scheme system
     user-name-format without-domain
    #
    domain mydomain
     authentication login radius-scheme nps local
     authorization login radius-scheme nps local
     accounting login radius-scheme nps local
    #
    domain system
    #
     domain default enable mydomain



  • 4.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 18, 2021 10:59 AM
    Since connections fail before having a chance to transmit the username, it must be some issue related to encryption. Either it's lack of local keys or encryption protocol mismatch. We have output from 'display ssh2 algorithm' and it looks ok, so my main suspect is public-key or keys.
    Let's check the output from 'display public-key local public', you need to have RSA and/or DSA key generated. You can check each type separately with 'display public-key local rsa public' and 'display public-key local dsa public'. 

    Another idea - if you generated keys after enabling the SSH server, maybe you could try 'undo ssh server enable / ssh server enable' to toggle SSH service and force it to re-read new parameters if it got stuck due to some reason...

    ------------------------------
    Best regards,
    Ivan
    ------------------------------



  • 5.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 19, 2021 10:59 AM
    Key name: dsakey(default)
    Key type: DSA
    Time when key pair created: 09:52:42 2021/11/18
    Key code:

    3082034630820......


    Key name: mykey
    Key type: RSA
    Time when key pair created: 09:38:16 2021/11/18
    Key code:

    30820122300D06092A8.....

    I have disabled/enabled/re-disabled/re-enabled

    None makes difference, disconnects instantly
    RSA key is used for SSL (and that works perfectly fine)

    Seb





  • 6.  RE: HPE 5900AF SSH failes to connect

    Posted Nov 19, 2021 01:31 PM
    I can sort of reproduce the issue if my SSH client remembers the old key of the switch and if I generate a new RSA key in the switch, then SSH client fails to authenticate the server (switch) because of public keys mismatch. And as a result of such interrupted session attempt I also get (null) username in the SSHS_DISCONNECT message. Here is the result of 'debugging ssh server all' running on the switch when such client attempts to connect (10.0.0.2 is SSH client, 10.0.0.1 is the switch):

    [SW2]*Jan 11 00:34:34:776 2011 SW2 SSHS/7/EVENT: Start new child 12475.
    *Jan 11 00:34:34:787 2011 SW2 SSHS/7/EVENT: Connection from 10.0.0.2 port 32130
    *Jan 11 00:34:34:818 2011 SW2 SSHS/7/EVENT: Client protocol version 2.0, client software version Comware-7.1.070
    *Jan 11 00:34:34:818 2011 SW2 SSHS/7/EVENT: Enabling compatibility mode for protocol 2.0
    *Jan 11 00:34:34:818 2011 SW2 SSHS/7/EVENT: Local version string SSH-2.0-Comware-7.1.070
    *Jan 11 00:34:34:819 2011 SW2 SSHS/7/EVENT: Pki-domain-name is not configure.
    *Jan 11 00:34:34:819 2011 SW2 SSHS/7/EVENT: Pki-domain-name is not configure.
    *Jan 11 00:34:34:820 2011 SW2 SSHS/7/EVENT: Hostkey string is : ssh-rsa
    *Jan 11 00:34:34:821 2011 SW2 SSHS/7/MESSAGE: Prepare packet[20].
    *Jan 11 00:34:34:821 2011 SW2 SSHS/7/MESSAGE: Received packet type 20.
    *Jan 11 00:34:34:821 2011 SW2 SSHS/7/EVENT: Received SSH2_MSG_KEXINIT.
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: My proposal kex:
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(0): ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(1): ssh-rsa
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(2): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(3): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(4): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(5): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(6): none,zlib,zlib@openssh.com
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(7): none,zlib,zlib@openssh.com
    *Jan 11 00:34:34:822 2011 SW2 SSHS/7/EVENT: Kex strings(8):
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(9):
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Peer proposal kex:
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(0): ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(1): x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(2): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(3): aes128-ctr,aes192-ctr,aes256-ctr,AEAD_AES_128_GCM,AEAD_AES_256_GCM,aes128-cbc,3des-cbc,aes256-cbc,des-cbc
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(4): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(5): hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(6): none,zlib,zlib@openssh.com
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(7): none,zlib,zlib@openssh.com
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(8):
    *Jan 11 00:34:34:823 2011 SW2 SSHS/7/EVENT: Kex strings(9):
    *Jan 11 00:34:34:824 2011 SW2 SSHS/7/EVENT: Kex: client->server, Encrypt: aes128-ctr, HMAC: hmac-sha2-256, Compress: none
    *Jan 11 00:34:34:825 2011 SW2 SSHS/7/EVENT: Kex: server->client, Encrypt: aes128-ctr, HMAC: hmac-sha2-256, Compress: none
    *Jan 11 00:34:34:832 2011 SW2 SSHS/7/EVENT: Expecting packet type 30.
    *Jan 11 00:34:34:832 2011 SW2 SSHS/7/MESSAGE: Received packet type 30.
    *Jan 11 00:34:34:839 2011 SW2 SSHS/7/MESSAGE: Prepare packet[31].
    *Jan 11 00:34:34:842 2011 SW2 SSHS/7/MESSAGE: Prepare packet[21].
    *Jan 11 00:34:34:842 2011 SW2 SSHS/7/EVENT: Set new keys: mode=1
    *Jan 11 00:34:34:842 2011 SW2 SSHS/7/EVENT: Expecting packet type 21.
    %Jan 11 00:34:34:844 2011 SW2 SSHS/6/SSHS_LOG: Connection closed by 10.0.0.2.
    %Jan 11 00:34:34:845 2011 SW2 SSHS/6/SSHS_DISCONNECT: SSH user (null) (IP: 10.0.0.2) disconnected from the server.
    
    ​

    You can enable same debugging and check if the situation is similar. Maybe in your case it will be a different error, but at this time debugging seems to be the next step anyways:

    # Enable monitoring and debugging output to the current VTY session. The commands below should be executed from the user-view.
    terminal monitor
    terminal debugging
    
    # Enable SSH Server debugging - messages, errors and events.
    debugging ssh server all
    
    # Attempt to connect from SSH client to the switch.
    
    # Disable the debugging.
    undo debugging all
    
    ​

    Also it's a good idea to try different SSH client to avoid any public key caching issues.



    ------------------------------
    Ivan Bondar
    ------------------------------



  • 7.  RE: HPE 5900AF SSH failes to connect