Stacy, I configured SSH server(OpenSSH) to log both the user name and password for all the successful and unsuccessful authorization attempts and turned out, that Juniper router sends an empty string as a password. I guess Junos uses FreeBSD scp utility for configuration archival if following configuration is used:
configuration { transfer-on-commit; archive-sites { "scp://juniper@backupserver:/home/juniper/configbackups" password "$9$2joDkf5F9tOik0IhcMWGDjq5Q"; ## SECRET-DATA } } If yes, then Junos probably provides an empty password string to scp. Underlying XML also holds the correct obfuscated password, i.e. as far as I can tell, the password in configuration is correct. I also tried with other passwords, but the router still sends an empty string. How to troubleshoot this further? Has anyone seen such behavior(possibly a bug) before? thanks, Martin On Wed, Oct 21, 2015 at 7:39 PM, Stacy W. Smith <st...@acm.org> wrote: > >> On Oct 21, 2015, at 10:16 AM, Martin T <m4rtn...@gmail.com> wrote: >> >> SSH server log tells that "error: PAM: Authentication failure for juniper >> from r1". > >> What might cause this? > > Assuming the Junos version has not changed on the router, have there been any > changes to the SSH server, or the OS, on backupserver (potentially including > "security patches")? > > Assuming OpenSSH, you may want to "man sshd_config" and look into the various > <Method>Authentication settings as well as the UsePAM. I suspect some recent > upgrade may have changed the default value of some of these settings. > > I would normally suggest changing the client's config to interoperate with > the server, but since that's not easy to do on a Junos device, you might look > at changing the server config. > > --Stacy > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp