LMS, SSH, Interactive Keyboard & Archive Job Failure

Unanswered Question
Dec 13th, 2012

Hi,

As I continue to have issue with LMS I have been looking at the relevatant connections to a Router/Switch when using SSH with LMS. Which causes Archive jobs to fail because they do not like to see the "Interactive Keyboard" statement in the login screen, seeing it as an invalid login type.

Using openssh to do some testing I have found that the IOS devices are offering both the password and interactive Keybaord as a Authenication method. Where as a Unix device will offer only the password method.:

IOS Device :

$ ssh -v ftseops@ubs-s-001

OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to ubs-s-001 [X.X.X.X] port 22.

debug1: Connection established.

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Server host key: RSA

debug1: Host 'ubs-s-001' is known and matches the RSA host key.

debug1: Found key in /cygdrive/c/IanHome/.ssh/known_hosts:13

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: keyboard-interactive,password

debug1: Next authentication method: keyboard-interactive

Password:

IOS Login using putty :

Using username "IanB".

Using keyboard-interactive authentication.

Password:

dcnaservive.log meesage:

[ Thu Dec 13  15:14:37 GMT 2012 ],INFO ,[Thread-2038],com.cisco.nm.rmeng.util.rmedaa.RMERepository,getAllDeviceAttributes,805,Printing before5

[ Thu Dec 13  15:14:38 GMT 2012 ],ERROR,[Thread-2038],com.cisco.nm.xms.xdi.transport.cmdsvc.LogAdapter,error,19,Unknown authentication method: keyboard-interactive

[ Thu Dec 13  15:15:17 GMT 2012 ],ERROR,[Thread-2038],com.cisco.nm.xms.xdi.transport.cmdsvc.LogAdapter,error,19,IOException received during block() of Channel[UInt32[ 0 ]:UInt32[ 3 ]]

-----------------------------------------------------------------------------

Linux Device :

$ ssh -v ukubs-l02-mdp02

OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to ukubs-l02-mdp02 [X.X.X.X] port 22.

debug1: Connection established.

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3

debug1: match: OpenSSH_4.3 pat OpenSSH_4*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA

debug1: Host 'ukubs-l02-mdp02' is known and matches the RSA host key.

debug1: Found key in /cygdrive/c/IanHome/.ssh/known_hosts:14

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Next authentication method: publickey

debug1: Trying private key: /cygdrive/c/IanHome/.ssh/id_rsa

debug1: Trying private key: /cygdrive/c/IanHome/.ssh/id_dsa

debug1: Trying private key: /cygdrive/c/IanHome/.ssh/id_ecdsa

debug1: Next authentication method: password

ianb@ukubs-l02-mdp02's password:

Thus when using putty with the Interacitve keyboard enabled, the connection is echo'd with the statement when connecting to a IOS device but not when connect to a Unix//Linux device.

Some where here it has to be accepted that there is an issue, which either needs an IOS fix or LMS fix to allow for the use of SSH as a accepted connection method both for administration and LMS Archive.

---------------------------------------------------------

Intrestingly when connecting to an ASA :

$ ssh -v ianb@ukhsl-n01-afw02

OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to ukhsl-n01-afw02 [X.X.X.X] port 22.

debug1: Connection established.

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 1.99, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Server host key: RSA

debug1: Host 'ukhsl-n01-afw02' is known and matches the RSA host key.

debug1: Found key in /cygdrive/c/IanHome/.ssh/known_hosts:15

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: password

debug1: Next authentication method: password

ianb@ukhsl-n01-afw02's password:

Putty login :

Using username "IanB".

IanB@ukhsl-n01-afw02's password:

At present I can backup ASA's but none of my Switches or Routers.

Any ideas, thanks

Ian

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Ian Beck Thu, 12/13/2012 - 09:05

Hi,

I have just checked somethinge else which is to change the Router to use SSH Version 1 and all works fine.

But a bit of a Security risk, in relation to Version 1 SSH.

Thanks

nettarzan Sat, 12/15/2012 - 03:09

Hi Ian,

I am facing exact same issue as described by you. Am unable to generate Compliance audit report for Cisco ASR 1002 Router and after raising a case with Cisco TAC, they have agreed to work on this issue with their development team. Am awaiting their response.

In the mean time, I will configure the Router with SSH v1 and get back to you on this.

Cheers,

Rajkumar G

Ian Beck Mon, 12/17/2012 - 02:06

Hi Rajkumar,

Many thanks for your reply, was wondering if I was they only one with this issue !

Have they given it a bug ID, if so, could you share it with me ?

Many thanks

Ian

nettarzan Wed, 12/26/2012 - 21:49

Hi Ian,

Downgrading Cisco ASR 1002 to SSH V1 did not solve my issue. I had a WebEx session with Cisco along with a Development Engineer and they have collected some logs. Its under review and am awaiting their response.

Cheers,

Rajkumar G

Ian Beck Thu, 12/27/2012 - 02:16

Hi,

Many thanks fro the update, any information I can help with.

More than happy to help or supply.

Regards

Ian Beck Thu, 12/27/2012 - 05:05

Hi,

As an update, I wonder what version of LMS you are running 4.2.x ?

As I have just downloaded and updated to 4.2.3 and have found that I can now achive all my equipmnet again !!!

Accept for ones I know why and some I need to investigate, but I have the majority.

If you can go to 4.2.3 would be intresting if you get the same result.

As the question has to be why and what changed ???

Regards

Ian

Ian Beck Fri, 12/28/2012 - 03:22

Hi Rajkumar

I had seen the bug fix list but had see no mention of a fix related to the issues being seen and yet it is fixed after upgrade !!

Many thanks

Ian

nettarzan Mon, 12/31/2012 - 02:13

Hi Ian,

What are the precautions that needs to be excercised while upgrading to 4.2.3?

From the documents available I understand that, it has to be migrated to 4.2.2 first and then to 4.2.3.

Is there anything else that needs to be done?

Many thanks,

Rajkumar G

Ian Beck Mon, 12/31/2012 - 03:34

Hi Rajkumar,

Apart from the usual, no the upgrade was easy and painless. I was already 4.2.2

As I run the Server in VMWare I just tuned on Snap, for precaution.

Regards

Ian

nettarzan Fri, 01/04/2013 - 01:19

Dear Ian,

Upgrading to LMS 4.2.3 did not solve my issue relating LMS not able to generate Vendor Advisory Report(PSIRT) for ASR 1002 with SSH enabled.

We had to enable Telnet inorder to generate PSIRT report for ASR 1002 Router.

Regards,

Rajkumar G

Ian Beck Fri, 01/04/2013 - 01:34

Hi Rajkumar,

Thanks for the update, at least from the TAC point of view you are on the latest version, which where they would want you to be.

I dont actually have that option.

Regards

Ian

Actions

Login or Register to take actions

This Discussion

Posted December 13, 2012 at 8:13 AM
Stats:
Replies:13 Avg. Rating:
Views:1479 Votes:0
Shares:0
Categories: Cisco Prime
+

Related Content

Discussions Leaderboard

Rank Username Points
1 2,483
2 1,624
3 1,445
4 861
5 578