Home > Articles > Security > Software Security

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend

Troubleshooting SSH Client Connection Problems

As with any new remote access client software, there may be a need to figure out why a client connection fails. Fortunately, the PIX has debug ssh to make life easier on you. If you have previous experience using debug commands with Cisco IOS<sup>tm</sup>, you know that debug output can be very cryptic. I'm pleased to report the output of debug ssh is very readable and points right to the source of the problem. Let's take a look at some common scenarios and how debug ssh can make your life easier.

First, what does a normal ssh session look like? Turn on ssh debugging by using the debug ssh command. Notice that the authentication request for user pix was successful:

percival(config)# debug ssh

SSH debugging on

Example 1 shows the output for a successful SSH session:

Example 1	Successful SSH Session Establishment
Device opened successfully.
SSH: host key initialized
SSH: license supports DES: 1
SSH0: SSH client: IP = '192.168.111.7' interface # = 1
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: client version is - SSH-1.5-2.4.0 (compat mode)
SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 2970 ms
SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272
SSH0: client requests DES cipher: 2
SSH0: keys exchanged and encryption on
SSH: Installing crc compensation attack detector.
SSH0: authentication request for userid pix
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH0: authentication successful for pix
SSH0: invalid request - 0x22
SSH0: starting exec shell

What happens if a user doesn't use pix as the username? The PIX rejects the username cisco in Example 2:

Example 2	Invalid Username
Device opened successfully.
SSH: host key initialized
SSH0: SSH client: IP = '192.168.111.5' interface # = 1
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: client version is - SSH-1.5-2.4.0 (compat mode)
SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 3050 ms
SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272
SSH0: client requests DES cipher: 2
SSH0: keys exchanged and encryption on
SSH0: authentication request for userid cisco
SSH(cisco): user authen method is 'no AAA', aaa server group ID = 0
SSH0: invalid userid cisco
SSH0: authentication failed for cisco
SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Note

The only acceptable username is pix.

Example 3 illustrates authentication failure due to the user entering the wrong telnet password:

Example 3	Invalid Password
Device opened successfully.
SSH: host key initialized
SSH0: SSH client: IP = '192.168.111.5' interface # = 1
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25
SSH0: client version is - SSH-1.5-2.4.0 (compat mode)
SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 1370 ms
SSH0: declare what cipher(s) we support: 0x00 0x00 0x00 0x04 
SSH0: SSH_SMSG_PUBLIC_KEY message sent
SSH0: SSH_CMSG_SESSION_KEY message received - msg type 0x03, length 272
SSH0: client requests DES cipher: 2
SSH0: keys exchanged and encryption on
SSH0: authentication request for userid pix
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH0: password authentication failed for pix
SSH0: password authentication failed for pix
SSH0: password authentication failed for pix
SSH0: authentication failed for pix
SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Both the SSH Client and the SSH Server must exchange Public Keys before the session can be encrypted. Example 4 shows what happens if you forget to generate an RSA Key pair:

Example 4	No RSA Key on the PIX
Device opened successfully.
SSH: unable to retrieve host public key for percival.cisco.com', terminate
SSH connection.
SSH-2145046632: Session disconnected by SSH server - error 0x00 "Internal error"
  • + Share This
  • 🔖 Save To Your Account