cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3226
Views
0
Helpful
13
Replies

LMS, SSH, Interactive Keyboard & Archive Job Failure

Ian Beck
Level 1
Level 1

Hi,

As I continue to have issue with LMS I have been looking at the relevatant connections to a Router/Switch when using SSH with LMS. Which causes Archive jobs to fail because they do not like to see the "Interactive Keyboard" statement in the login screen, seeing it as an invalid login type.

Using openssh to do some testing I have found that the IOS devices are offering both the password and interactive Keybaord as a Authenication method. Where as a Unix device will offer only the password method.:

IOS Device :

$ ssh -v ftseops@ubs-s-001

OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to ubs-s-001 [X.X.X.X] port 22.

debug1: Connection established.

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Server host key: RSA

debug1: Host 'ubs-s-001' is known and matches the RSA host key.

debug1: Found key in /cygdrive/c/IanHome/.ssh/known_hosts:13

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: keyboard-interactive,password

debug1: Next authentication method: keyboard-interactive

Password:

IOS Login using putty :

Using username "IanB".

Using keyboard-interactive authentication.

Password:

dcnaservive.log meesage:

[ Thu Dec 13  15:14:37 GMT 2012 ],INFO ,[Thread-2038],com.cisco.nm.rmeng.util.rmedaa.RMERepository,getAllDeviceAttributes,805,Printing before5

[ Thu Dec 13  15:14:38 GMT 2012 ],ERROR,[Thread-2038],com.cisco.nm.xms.xdi.transport.cmdsvc.LogAdapter,error,19,Unknown authentication method: keyboard-interactive

[ Thu Dec 13  15:15:17 GMT 2012 ],ERROR,[Thread-2038],com.cisco.nm.xms.xdi.transport.cmdsvc.LogAdapter,error,19,IOException received during block() of Channel[UInt32[ 0 ]:UInt32[ 3 ]]

-----------------------------------------------------------------------------

Linux Device :

$ ssh -v ukubs-l02-mdp02

OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to ukubs-l02-mdp02 [X.X.X.X] port 22.

debug1: Connection established.

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3

debug1: match: OpenSSH_4.3 pat OpenSSH_4*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA

debug1: Host 'ukubs-l02-mdp02' is known and matches the RSA host key.

debug1: Found key in /cygdrive/c/IanHome/.ssh/known_hosts:14

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Next authentication method: publickey

debug1: Trying private key: /cygdrive/c/IanHome/.ssh/id_rsa

debug1: Trying private key: /cygdrive/c/IanHome/.ssh/id_dsa

debug1: Trying private key: /cygdrive/c/IanHome/.ssh/id_ecdsa

debug1: Next authentication method: password

ianb@ukubs-l02-mdp02's password:

Thus when using putty with the Interacitve keyboard enabled, the connection is echo'd with the statement when connecting to a IOS device but not when connect to a Unix//Linux device.

Some where here it has to be accepted that there is an issue, which either needs an IOS fix or LMS fix to allow for the use of SSH as a accepted connection method both for administration and LMS Archive.

---------------------------------------------------------

Intrestingly when connecting to an ASA :

$ ssh -v ianb@ukhsl-n01-afw02

OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

debug1: Reading configuration data /etc/ssh_config

debug1: Connecting to ukhsl-n01-afw02 [X.X.X.X] port 22.

debug1: Connection established.

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_rsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_dsa-cert type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa type -1

debug1: identity file /cygdrive/c/IanHome/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 1.99, remote software version Cisco-1.25

debug1: no match: Cisco-1.25

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: sending SSH2_MSG_KEXDH_INIT

debug1: expecting SSH2_MSG_KEXDH_REPLY

debug1: Server host key: RSA

debug1: Host 'ukhsl-n01-afw02' is known and matches the RSA host key.

debug1: Found key in /cygdrive/c/IanHome/.ssh/known_hosts:15

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: password

debug1: Next authentication method: password

ianb@ukhsl-n01-afw02's password:

Putty login :

Using username "IanB".

IanB@ukhsl-n01-afw02's password:

At present I can backup ASA's but none of my Switches or Routers.

Any ideas, thanks

Ian

13 Replies 13

Ian Beck
Level 1
Level 1

Hi,

I have just checked somethinge else which is to change the Router to use SSH Version 1 and all works fine.

But a bit of a Security risk, in relation to Version 1 SSH.

Thanks

Hi Ian,

I am facing exact same issue as described by you. Am unable to generate Compliance audit report for Cisco ASR 1002 Router and after raising a case with Cisco TAC, they have agreed to work on this issue with their development team. Am awaiting their response.

In the mean time, I will configure the Router with SSH v1 and get back to you on this.

Cheers,

Rajkumar G

Hi Rajkumar,

Many thanks for your reply, was wondering if I was they only one with this issue !

Have they given it a bug ID, if so, could you share it with me ?

Many thanks

Ian

Looks like the Tac are looking into this and is under :

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud48443

Hopefully we will get a fix soon.

Hi Ian,

Downgrading Cisco ASR 1002 to SSH V1 did not solve my issue. I had a WebEx session with Cisco along with a Development Engineer and they have collected some logs. Its under review and am awaiting their response.

Cheers,

Rajkumar G

Hi,

Many thanks fro the update, any information I can help with.

More than happy to help or supply.

Regards

Hi,

As an update, I wonder what version of LMS you are running 4.2.x ?

As I have just downloaded and updated to 4.2.3 and have found that I can now achive all my equipmnet again !!!

Accept for ones I know why and some I need to investigate, but I have the majority.

If you can go to 4.2.3 would be intresting if you get the same result.

As the question has to be why and what changed ???

Regards

Ian

Hi,

We are presently running 4.2.1 and will be upgrading shortly.

Morever bug fixes in the upgraded version is listed in the below mentioned link.

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2.3/release/notes/lms4_2_3_release_notes.html#wp1243859

Cheers,

Rajkumar G

Hi Rajkumar

I had seen the bug fix list but had see no mention of a fix related to the issues being seen and yet it is fixed after upgrade !!

Many thanks

Ian

Hi Ian,

What are the precautions that needs to be excercised while upgrading to 4.2.3?

From the documents available I understand that, it has to be migrated to 4.2.2 first and then to 4.2.3.

Is there anything else that needs to be done?

Many thanks,

Rajkumar G

Hi Rajkumar,

Apart from the usual, no the upgrade was easy and painless. I was already 4.2.2

As I run the Server in VMWare I just tuned on Snap, for precaution.

Regards

Ian

Dear Ian,

Upgrading to LMS 4.2.3 did not solve my issue relating LMS not able to generate Vendor Advisory Report(PSIRT) for ASR 1002 with SSH enabled.

We had to enable Telnet inorder to generate PSIRT report for ASR 1002 Router.

Regards,

Rajkumar G

Hi Rajkumar,

Thanks for the update, at least from the TAC point of view you are on the latest version, which where they would want you to be.

I dont actually have that option.

Regards

Ian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: