search

czerwonk / junos_exporter

Exporter for devices running JunOS to use with https://prometheus.io/
MIT License
198 stars 81 forks source link

SSH KeyExchange issue with Junos 12.3 #153

Open mweinelt opened 3 years ago

mweinelt commented 3 years ago

This is junos exporter: :zap:

image

The SSHD on the EX2200 supports the following key exchange methods:

% ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org

This results in a handshake failure.

This is openssh from the terminal: :heavy_check_mark:

image

lgerhold commented 3 years ago

same here :(

nuclearcat commented 3 years ago

Faced same problem, also junos 12. As workaround " set system services ssh ciphers [chacha20-poly1305@openssh.com aes256-cbc aes256-ctr] " works. Reason of issue (possibly) aes128-gcm@openssh.com and aes256-gcm@openssh.com is broken in junos12.

mweinelt commented 3 years ago

That's not even a possible scenario here, we have no aesgcm in our supported cipher list.

% ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
chacha20-poly1305@openssh.com

The exporters cipher list is visible here:

handshake failed: ssh: no common algorithm for client to server cipher; client offered: [aes128-gcm@openssh.com chacha20-poly1305@openssh.com aes128-ctr aes192-ctr aes256-ctr]

All of the given ciphers work when configured individually, so I wonder whats up with that. 

chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

Uh, so it advertises aesgcm and the config validation does not let me disable it.

# set ciphers [ ?  
Possible completions:
  3des-cbc             Tripple DES in CBC mode
  ]                    Close the current set
  aes128-cbc           128-bit AES with Cipher Block Chaining
  aes128-ctr           128-bit AES with Counter Mode
  aes192-cbc           192-bit AES with Cipher Block Chaining
  aes192-ctr           192-bit AES with Counter Mode
  aes256-cbc           256-bit AES with Cipher Block Chaining
  aes256-ctr           256-bit AES with Counter Mode
  arcfour              128-bit RC4 with Cipher Block Chaining 
  arcfour128           128-bit RC4 with Cipher Block Chaining 
  arcfour256           256-bit RC4 with Cipher Block Chaining 
  blowfish-cbc         128-bit Blowfish with Cipher Block Chaining 
  cast128-cbc          128-bit CAST with Cipher Block Chaining 
  chacha20-poly1305@openssh.com  ChaCha20 stream cipher and Poly1305 MAC
{master:0}[edit system services ssh]

So setting any explicit cipher list will basically fix this. Great.

nuclearcat commented 3 years ago

Maybe someone can open bug report for Juniper? So next release they will fix this bug. (I'm not familiar with their support)