Juniper J-Series routers have two possible install images, domestic and export. The "domestic" one supports useful encryption features, but is not able to exported outside North America due to paranoia about "strong" encryption being used in the outside world. The "export" one can be used anywhere, but has only basic encryption features. One of these basic encryption features is that ssh is limited to Single DES, which is considered quite weak now (primarily due to short key length) some 30 years after it was first standardised.
One of the implications of only Single DES on the "export" software image is that openssh, as used on most unix systems, is unable to connect to it, because openssh removed support for the Single DES mode many years ago due to it being insecure. However while Single DES is fairly insecure it is somewhat more secure than using, eg, telnet and sending the data in plain text. So it'd be nice to be able to use ssh even in Single DES mode if no better encryption is available.
The most commonly recommended work around (aside from "install the domestic image on the J-Series") is to use putty which still retains support for these older algorithms (but does pop up a warning for any algorithms it considers insecure).
Putty is originally a windows program, but has been ported to Linux/Unix and is packaged in at least Ubuntu and MacPorts. In theory the port can be installed with:
port install putty
However it's a sufficiently old port that it requires the old GTK+ 1.x graphics library ("gtk1") and that cannot be installed at present due to issue with gettext. The recommended work around is to temporarily downgrade the "gettext" port from 0.18 (latest version) to 0.17 (previous version), do the install, and then upgrade again, viz:
sudo port deactivate gettext
sudo port activate gettext @0.17_4
sudo port install putty
sudo port deactivate gettext
sudo port activate gettext @0.18_0
The newer port needs to be activated again after putty is compiled
in order that programs compiled against the newer libraries don't
fail their "version compiled against or newer" check. port
installed gettext
can be used to determine which versions
are available to activate; and if the older version hasn't already
been installed previously then some more work is required to get
the older version and install
it.
Having installed putty
, it can be run and used to
connect to the Juniper. The most useful way to set it up is create
a custom profile:
Connection/Data: enter username to send to router (Auto-login username)
Connection/SSH: move "DES" cypher up above the "-- warn below here --" line (since this is the weak cypher that the Export version requires, we already know it is weak and don't want to be alerted every time)
Session: enter Hostname/IP address, and choose SSH
Session: Enter hostname below "Saved Sessions" and hit "Save" to save the custom profile
Test the profile works by connecting and verifying that the you can log in without warnings.
Providing it does work, you can then run putty directly from the command line with the custom profile via:
putty -load PROFILENAME
and it should auto-connect to the router and wait for you to enter the password to log in (and then automatically exit when you log out of the router); almost as convenient as OpenSSH, except that it runs in its own window (but things like cut'n'paste do work in X11-like ways).
(The profiles are saved in ~/.putty/sessions
in a plain
text configuration format so are easy to find and review.)
ETA, 2010-08-18: It's also possible to use "plink" for a text shell based connection, with similar parameters, viz:
plink -load PROFILENAME
and the profile can contain only the line allowing appropriate ciphers leaving the rest to be set from the command line, viz:
mkdir .putty/sessions
echo "Cipher=aes,blowfish,3des,des,WARN,arcfour" |
tee .putty/sessions/single-des-allowed
plink -load single-des-allowed USER@HOST
which allows the use of tools like rancid that need a text login, with a simple wrapper script:
#! /bin/sh
# Rancid ssh wrapper to use plink/single DES
#
if [ "$1" = "-c" ]; then
shift
shift
fi
exec /usr/bin/plink -load single-des-juniper "$@"
(the "-c 3des" is the first argument from rancid, and needs to be swallowed both because putty/plink doesn't support that argument, and because the router doesn't support 3DES, only (single) DES.)
On an extremely loosely related note, the perl Net::SMTP
auth()
function auto-detects SMTP AUTH methods, and
it appears that DIGEST-MD5 will be chosen if offered but doesn't
actually work at least against Sendmail
8.14.
test.smtp.org is very useful for testing
such problems since it provides a black hole against which SMTP
AUTH can be tested. msmtp is very
useful for providing another test client since it's written in a
different language (C) and thus doesn't share any code in common.
smtp-cli, written in
perl, also looks very useful, but does not have DIGEST-MD5 support
because it didn't work reliably (and references an IETF SASL thread
suggesting deprecating
DIGEST-MD5).