Subject: RARE user and assistance email list
List archive
- From: mc36 <>
- To: Frédéric LOUI <>, "" <>
- Subject: Re: [RARE-users] SSH stuck
- Date: Sun, 21 Aug 2022 13:59:45 +0200
hi,
to reproduce the thing, i did the following:
sid(cfg-server)#show running-config this
server telnet fl
security protocol ssh
security authentication usr
security rsakey rsa
security dsakey dsa
security ecdsakey ecdsa
port 1234
second-port 4321
exec logging
no exec authorization
login authentication usr
login logging
vrf v1
exit
!
sid(cfg-server)#
it's almost identical what you have but i used explicit ports 1234 and 4321...
after checking around from my notebook i found the following:
mc36@noti:~$ telnet sid 1234
Trying 2001:db8:1101::227:227...
Connected to sid.
Escape character is '^]'.
SSH-2.0-freeRouter/22.8.21-cur
^]
telnet> q
Connection closed.
mc36@noti:~$ telnet sid 4321
Trying 2001:db8:1101::227:227...
Connected to sid.
Escape character is '^]'.
SSH-2.0-freeRouter/22.8.21-cur
^]
telnet> q
Connection closed.
mc36@noti:~$
mc36@noti:~$ ssh -p 4321 sid
mc36@sid's password:
SSH-2.0-freeRouter/22.8.21-cur
Connection to sid closed.
mc36@noti:~$ ssh -p 1234 sid
mc36@sid's password:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX XXXXX XXX XXX XXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXX XX XXXX XX XXXX XX XX XX XXXX XXXXXXX/~~~~\XXXXX
XXXX X XXX XX XXXX XX XXXX XX XX XX XXXX XXXXXX| demo |XXXX
XXXX XX XX XX XXXX XX XXX XX XXXX XXXXXXX\____/XXXXX
XXXX XXX X XX XXXX XX XXXXXXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXX XX XXXX XX XXXXXXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXXX XXX XXX XXX XXX XX XXX XXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
welcome
username:
after applying "no security protocol ssh" the following to the telnet server,
i see the following change:
mc36@noti:~$ telnet sid 1234
Trying 2001:db8:1101::227:227...
Connected to sid.
Escape character is '^]'.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX XXXXX XXX XXX XXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXX XX XXXX XX XXXX XX XX XX XXXX XXXXXXX/~~~~\XXXXX
XXXX X XXX XX XXXX XX XXXX XX XX XX XXXX XXXXXX| demo |XXXX
XXXX XX XX XX XXXX XX XXX XX XXXX XXXXXXX\____/XXXXX
XXXX XXX X XX XXXX XX XXXXXXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXX XX XXXX XX XXXXXXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXXX XXX XXX XXX XXX XX XXX XXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
welcome
username:
telnet> q
Connection closed.
mc36@noti:~$ telnet sid 4321
Trying 2001:db8:1101::227:227...
Connected to sid.
Escape character is '^]'.
SSH-2.0-freeRouter/22.8.21-cur
^]
telnet> q
Connection closed.
mc36@noti:~$
mc36@noti:~$ ssh -p 4321 sid
mc36@sid's password:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX XXXXX XXX XXX XXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXX XX XXXX XX XXXX XX XX XX XXXX XXXXXXX/~~~~\XXXXX
XXXX X XXX XX XXXX XX XXXX XX XX XX XXXX XXXXXX| demo |XXXX
XXXX XX XX XX XXXX XX XXX XX XXXX XXXXXXX\____/XXXXX
XXXX XXX X XX XXXX XX XXXXXXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXX XX XXXX XX XXXXXXX XX XX XXXX XXXXXXXXXXXXXXXXXX
XXXX XXXXX XXX XXX XXX XXX XX XXX XXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
welcome
line ready
sid#
the trick here is that there are 2 protocols, http and telnet, which both
could be run over 2 ports simultaneously,
with the same virtual-hosts or access credentinal requirements... this
feature is enabled by the second-port knob
under the corresponding servers...
but if once it's enabled, you don't have to specify the "sec prot" because
the port will determine the
security protocol to use, and after a successful negotiation, the given
server's things will apply to
the connection
buf if you apply "sec prot tls" on top of the above configuration, you could
to tls-over-telnet (draft)
or tls-over-ssh (stunnel xxx | ssh xxx) on the two ports i used to show off
the feature....
my question is, how you arrived to the configuration you showed in the mail?
thanks,
cs
On 8/18/22 12:18, Fr d ric LOUI wrote:
HI mc36,
I m staging a Wedge@Miami.
The user configured SSH telnet server, but not sure why the SSH connection
got stucked.
In doubt, I also upgraded freeRtr (flash upgrade)
# ssh
's password:
SSH-2.0-freeRouter/22.8.16-cur
No rush, I how you are busy partying @ Lake balaton.
config snippet:
!
aaa userlist usr
username rare
username rare password $v10$cmFyZQ==
exit
!
access-list allow-mgmt
sequence 10 permit all 190.103.184.0 255.255.252.0 all any all
sequence 20 permit all 67.17.206.0 255.255.255.0 all any all
sequence 30 permit all 192.168.203.0 255.255.255.0 all any all
sequence 40 permit all 200.143.193.220 255.255.255.255 all any all
sequence 50 permit all 195.98.239.132 255.255.255.255 all any all
sequence 60 permit all 82.64.61.37 255.255.255.255 all any all
sequence 123 permit all 172.16.11.0 255.255.255.0 all any all
sequence 124 permit all 192.168.113.0 255.255.255.0 all any all
sequence 999 deny all any all any all
exit
!
server telnet oob
security protocol ssh
security authentication usr
security rsakey rsa
security dsakey dsa
security ecdsakey ecdsa
access-class allow-mgmt
second-port 22
exec logging
no exec authorization
login authentication usr
login logging
interface tunnel123
vrf oob
exit
!
I checked with NMaaS admin and we tested pra0101 (which has the same config):
's password:
welcome
line ready
PRA0101#
Any idea/hint on what could happen ?
Should I ask user to renew rasa,dsaecdsa ? (Not sure where he got it from)
But assuming it is from Wedge it should use ONIE image startup config
Cheers,
Frederic
- Re: [RARE-users] SSH stuck, mc36, 08/21/2022
- <Possible follow-up(s)>
- Re: [RARE-users] SSH stuck, mc36, 08/21/2022
Archive powered by MHonArc 2.6.19.