PDA

View Full Version : SSH connection to Nortel/Avaya Switch



kandaur89
16-Jun-2014, 07:04
Hello.

I have a problem like described by link (https://bugzilla.mindrot.org/show_bug.cgi?id=2116) on my SLES 11 SP3.
The point is starting with version 6.2p1, ssh client connections to Nortel/Avaya ERS 5600 series switches fail. Connections with 6.1p1 and earlier do not exhibit this problem.

Can anybody provide me rpm or another solution for downgrading my openSSH client to 6.1p1?

Thanks.

mikewillis
16-Jun-2014, 08:33
The link you post goes to a Bad Gateway error.

Downgrading your SSH Client is a very bad idea. It's not clear whether the issue is in openSSH or the SSH server being used by the switch. Have you tried contacting the switch vendor? Are you able to open a Service Request with SUSE (https://www.suse.com/support/)? It's not a SUSE issue but it's possible they might be able to help.



OpenSUSE 12.2 has 6.0p1 and openSUSE 12.3 has 6.1p1. You could install one of them in a virtual machine and see if you are able to connect to your switches with that. If you can, use that VM for connecting to the switches, but nothing else.

kandaur89
16-Jun-2014, 09:18
The link you post goes to a Bad Gateway error.
Luckily I remained tab opened in my browser before web-site have crashed. A copy of the page here (https://drive.google.com/file/d/0B0lvBodqNf7UOFFkSTJvMFdyY1k/edit?usp=sharing)


OpenSUSE 12.2 has 6.0p1 and openSUSE 12.3 has 6.1p1. You could install one of them in a virtual machine and see if you are able to connect to your switches with that. If you can, use that VM for connecting to the switches, but nothing else.
Unfortunately, I have no possibility to install openSUSE on my clien's site and have no another avaya switch for testing on my site.
I've also opened a case in vendor's support, but I'd like to try downgrading openSSH on my SLES server as a temporary solution.

ab
16-Jun-2014, 11:00
Per the link you provided this looks like an Avaya bug. Did you try the
workaround listed?

Code:
--------------------
ssh -o MACs=hmac-md5 yourswitch.goes.here
--------------------

If that works, you can make this automatic on your client system using a
~/.ssh/config file, or you could modify the system's /etc/ssh/ssh_config
file for a system-wide change.

In the meantime, perhaps get Nortel/Avaya to fix their SSH implementation.
Since the last comment in that report is a year old hopefully the fix is
available from them already, and if not, well, that could be bad; there is
mention in the report of the server side crashing due to the
high-encryption options and if that's the case the possibility of an
exploit is higher than it should probably be for a network appliance like
this.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

kandaur89
17-Jun-2014, 06:20
Code:
--------------------
ssh -o MACs=hmac-md5 yourswitch.goes.here
--------------------

If that works, you can make this automatic on your client system using a
~/.ssh/config file, or you could modify the system's /etc/ssh/ssh_config
file for a system-wide change.
Looks like it helped.
Thank you.