[jira] [Comment Edited] (SSHD-969) compatibility problem with cisco-2.0 ssh on ios-xr
[
https://issues.apache.org/jira/browse/SSHD-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17046686#comment-17046686
]
Lyor Goldstein edited comment on SSHD-969 at 2/27/20 2:42 PM:
--
{quote}
I noticed that Mina SSH sends msg 50 (SSH_MSG_USERAUTH_REQUEST) before key
exchange completes
{quote}
I cannot figure out what scenario can lead to this - authentication messages
are exchanged +after+ keys have been exchanged - never over insecure channel.
We have such checks in code:
{code:java}
@Override
public Boolean doAuth(Buffer buffer, boolean init) throws Exception {
ValidateUtils.checkTrue(init, "Instance not initialized");
ServerSession session = getServerSession();
if (!UserAuthMethodFactory.isSecureAuthenticationTransport(session)) {
if (log.isDebugEnabled()) {
log.debug("doAuth({}) session is not secure", session);
}
return false;
}
{code}
Note that even by your own log, the {{SSH_MSG_USERAUTH_REQUEST}} is not sent -
it is +enqueued +to be sent when KEX completed:
{quote}
2020-02-25 20:12:15.532Z [pool-171-thread-1] DEBUG
o.a.s.c.session.ClientSessionImpl:808 -
writePacket(ClientSessionImpl[cisco@/10.90.10.193:22])[SSH_MSG_USERAUTH_REQUEST]
Start flagging packets as pending until key exchange is done
{quote}
It may be the case that the server has some kind of race condition and has not
yet updated its internal state that KEX is completed when
{{SSH_MSG_USERAUTH_REQUEST}} arrives. Anyway, you have not mentioned what MINA
SSHD version you are using. Please try the latest one.
Another thing to notice is that some servers behave in a special way and expect
flows that are not always standard. To that effect, try and activate the
"delayed KEX" option in our code (see [this
link|https://github.com/apache/mina-sshd/blob/master/docs/client-setup.md#configuring-the-protocol-exchange-phase]).
This option delays KEX from the client side until the server has sent its
identification first. I suspect this is the real culprit - anyway, it might not
fix this issue entirely, but perhaps it may introduce enough of a delay to
overcome the suspected race condition in the server.
was (Author: lgoldstein):
{quote}
I noticed that Mina SSH sends msg 50 (SSH_MSG_USERAUTH_REQUEST) before key
exchange completes
{quote}
I cannot figure out what scenario can lead to this - authentication messages
are exchanged +after+ keys have been exchanged - never over insecure channel.
We have such checks in code:
{code:java}
@Override
public Boolean doAuth(Buffer buffer, boolean init) throws Exception {
ValidateUtils.checkTrue(init, "Instance not initialized");
ServerSession session = getServerSession();
if (!UserAuthMethodFactory.isSecureAuthenticationTransport(session)) {
if (log.isDebugEnabled()) {
log.debug("doAuth({}) session is not secure", session);
}
return false;
}
{code}
Note that even by your own log, the {{SSH_MSG_USERAUTH_REQUEST}} is not sent -
it is +enqueued +to be sent when KEX completed:
{quote}
2020-02-25 20:12:15.532Z [pool-171-thread-1] DEBUG
o.a.s.c.session.ClientSessionImpl:808 -
writePacket(ClientSessionImpl[cisco@/10.90.10.193:22])[SSH_MSG_USERAUTH_REQUEST]
Start flagging packets as pending until key exchange is done
{quote}
It may be the case that the server has some kind of race condition and has not
yet updated its internal state that KEX is completed when
{{SSH_MSG_USERAUTH_REQUEST}} arrives. Anyway, you have not mentioned what MINA
SSHD version you are using. Please try the latest one.
Another thing to notice is that some servers behave in a special way and expect
flows that are not always standard. To that effect, try and activate the
"delayed KEX" option in our code (see [this
link|https://github.com/apache/mina-sshd/blob/master/docs/client-setup.md#configuring-the-protocol-exchange-phase]).
This option delays KEX from the client side until the server has sent its
identification first. It might fix this issue entirely, but perhaps it may
introduce enough of a delay to overcome the suspected race condition in the
server.
> compatibility problem with cisco-2.0 ssh on ios-xr
> ---
>
> Key: SSHD-969
> URL: https://issues.apache.org/jira/browse/SSHD-969
> Project: MINA SSHD
> Issue Type: Bug
>Reporter: Yuefeng
>Priority: Major
>
> When mina ssh library is used to connect with a Cisco IOS-XR device, the
> connection is consistently reset by IOS-XR, here's mina log
>
>
> {code:java}
> 2020-02-25 20:12:15.531Z [sshd-SshClient[468ca10d]-nio2-thread-1] DEBUG
> o.a.s.c.session.ClientSessionImpl:271 -
> initializeProxyConnector(ClientSessionImpl[null@/10.90.10.193:22]) no
[jira] [Comment Edited] (SSHD-969) compatibility problem with cisco-2.0 ssh on ios-xr
[
https://issues.apache.org/jira/browse/SSHD-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17046686#comment-17046686
]
Lyor Goldstein edited comment on SSHD-969 at 2/27/20 2:41 PM:
--
{quote}
I noticed that Mina SSH sends msg 50 (SSH_MSG_USERAUTH_REQUEST) before key
exchange completes
{quote}
I cannot figure out what scenario can lead to this - authentication messages
are exchanged +after+ keys have been exchanged - never over insecure channel.
We have such checks in code:
{code:java}
@Override
public Boolean doAuth(Buffer buffer, boolean init) throws Exception {
ValidateUtils.checkTrue(init, "Instance not initialized");
ServerSession session = getServerSession();
if (!UserAuthMethodFactory.isSecureAuthenticationTransport(session)) {
if (log.isDebugEnabled()) {
log.debug("doAuth({}) session is not secure", session);
}
return false;
}
{code}
Note that even by your own log, the {{SSH_MSG_USERAUTH_REQUEST}} is not sent -
it is +enqueued +to be sent when KEX completed:
{quote}
2020-02-25 20:12:15.532Z [pool-171-thread-1] DEBUG
o.a.s.c.session.ClientSessionImpl:808 -
writePacket(ClientSessionImpl[cisco@/10.90.10.193:22])[SSH_MSG_USERAUTH_REQUEST]
Start flagging packets as pending until key exchange is done
{quote}
It may be the case that the server has some kind of race condition and has not
yet updated its internal state that KEX is completed when
{{SSH_MSG_USERAUTH_REQUEST}} arrives. Anyway, you have not mentioned what MINA
SSHD version you are using. Please try the latest one.
Another thing to notice is that some servers behave in a special way and expect
flows that are not always standard. To that effect, try and activate the
"delayed KEX" option in our code (see [this
link|https://github.com/apache/mina-sshd/blob/master/docs/client-setup.md#configuring-the-protocol-exchange-phase]).
This option delays KEX from the client side until the server has sent its
identification first. It might fix this issue entirely, but perhaps it may
introduce enough of a delay to overcome the suspected race condition in the
server.
was (Author: lgoldstein):
{quote}
I noticed that Mina SSH sends msg 50 (SSH_MSG_USERAUTH_REQUEST) before key
exchange completes
{quote}
I cannot figure out what scenario can lead to this - authentication messages
are exchanged +after+ keys have been exchanged - never over insecure channel.
We have such checks in code:
{code:java}
@Override
public Boolean doAuth(Buffer buffer, boolean init) throws Exception {
ValidateUtils.checkTrue(init, "Instance not initialized");
ServerSession session = getServerSession();
if (!UserAuthMethodFactory.isSecureAuthenticationTransport(session)) {
if (log.isDebugEnabled()) {
log.debug("doAuth({}) session is not secure", session);
}
return false;
}
{code}
It may be the case that the server has some kind of race condition and has not
yet updated its internal state that KEX is completed when
{{SSH_MSG_USERAUTH_REQUEST}} arrives. Anyway, you have not mentioned what MINA
SSHD version you are using. Please try the latest one.
Another thing to notice is that some servers behave in a special way and expect
flows that are not always standard. To that effect, try and activate the
"delayed KEX" option in our code (see [this
link|https://github.com/apache/mina-sshd/blob/master/docs/client-setup.md#configuring-the-protocol-exchange-phase]).
This option delays KEX from the client side until the server has sent its
identification first. It might fix this issue entirely, but perhaps it may
introduce enough of a delay to overcome the suspected race condition in the
server.
> compatibility problem with cisco-2.0 ssh on ios-xr
> ---
>
> Key: SSHD-969
> URL: https://issues.apache.org/jira/browse/SSHD-969
> Project: MINA SSHD
> Issue Type: Bug
>Reporter: Yuefeng
>Priority: Major
>
> When mina ssh library is used to connect with a Cisco IOS-XR device, the
> connection is consistently reset by IOS-XR, here's mina log
>
>
> {code:java}
> 2020-02-25 20:12:15.531Z [sshd-SshClient[468ca10d]-nio2-thread-1] DEBUG
> o.a.s.c.session.ClientSessionImpl:271 -
> initializeProxyConnector(ClientSessionImpl[null@/10.90.10.193:22]) no proxy
> to initialize
> 2020-02-25 20:12:15.531Z [pool-171-thread-1] INFO
> com.forwardnetworks.client.a.f.a.d:20 - Connected to 'xrv9k'
> 2020-02-25 20:12:15.531Z [pool-171-thread-1] DEBUG
> o.a.s.c.session.ClientSessionImpl:204 -
> addPasswordIdentity(ClientSessionImpl[*@/10.90.10.193:22]) SHA256:**
> 2020-02-25 20:12:15.532Z [pool-171-thread-1] INFO
> com.forwardnetworks.client.a.f.a.d:28 - Authenticating
