Uploaded image for project: 'netconf'
  1. netconf
  2. NETCONF-408

unable to mount Cisco NSO from Boron/Carbon

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • None
    • None
    • netconf
    • None

    • Operating System: All
      Platform: All

    • 8297

      I can mount Cisco NSO 4.3.2 OK from Beryllium-SR4 using NETCONF/YANG

      but with Boron or Carbon I get this error:

      2017-04-25 14:10:38,843 | DEBUG | oupCloseable-3-3 | AsyncSshHandler | 180 - org.opendaylight.netconf.netty-util - 1.1.3.Boron-SR3 | SSH session connecting on channel [id: 0x334cae26]. promise: null
      2017-04-25 14:10:38,844 | DEBUG | oupCloseable-3-3 | AsyncSshHandler | 180 - org.opendaylight.netconf.netty-util - 1.1.3.Boron-SR3 | Starting SSH to /192.168.52.133:2022 on channel: [id: 0x334cae26]
      2017-04-25 14:10:38,845 | INFO | 7]-nio2-thread-2 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Client session created
      2017-04-25 14:10:38,845 | INFO | 7]-nio2-thread-2 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Server version string: SSH-2.0-NCS-4.3.2
      2017-04-25 14:10:38,850 | WARN | 7]-nio2-thread-4 | ClientSessionImpl | 30 - org.apache.sshd.core - 0.14.0 | Exception caught
      java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported
      at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:128)[sunjce_provider.jar:1.8.0_112]
      at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:674)[:1.8.0_121]
      at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:411)[:1.8.0_121]
      at org.apache.sshd.common.kex.DH.getE(DH.java:65)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.client.kex.DHGEX.next(DHGEX.java:118)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.session.AbstractSession.doHandleMessage(AbstractSession.java:425)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.session.AbstractSession.handleMessage(AbstractSession.java:326)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.client.session.ClientSessionImpl.handleMessage(ClientSessionImpl.java:306)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.session.AbstractSession.decode(AbstractSession.java:780)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.session.AbstractSession.messageReceived(AbstractSession.java:308)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:54)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:184)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:170)[30:org.apache.sshd.core:0.14.0]
      at org.apache.sshd.common.io.nio2.Nio2CompletionHandler$1.run(Nio2CompletionHandler.java:32)
      at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_121]
      at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:30)[30:org.apache.sshd.core:0.14.0]
      at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)[:1.8.0_121]
      at sun.nio.ch.Invoker$2.run(Invoker.java:218)[:1.8.0_121]
      at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)[:1.8.0_121]
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[:1.8.0_121]
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)[:1.8.0_121]
      at java.lang.Thread.run(Thread.java:745)[:1.8.0_121]
      2017-04-25 14:10:38,871 | TRACE | oupCloseable-3-3 | AsyncSshHandler | 180 - org.opendaylight.netconf.netty-util - 1.1.3.Boron-SR3 | SSH session created on channel: [id: 0x334cae26]

      using the command line ssh client to connect to NSO (with "-v" enabled) I see:

      OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g 1 Mar 2016
      debug1: Reading configuration data /etc/ssh/ssh_config
      debug1: /etc/ssh/ssh_config line 19: Applying options for *
      debug1: Connecting to localhost [::1] port 2022.
      debug1: connect to address ::1 port 2022: Connection refused
      debug1: Connecting to localhost [127.0.0.1] port 2022.
      debug1: Connection established.
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_rsa type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_rsa-cert type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_dsa type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_dsa-cert type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_ecdsa type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_ecdsa-cert type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_ed25519 type -1
      debug1: key_load_public: No such file or directory
      debug1: identity file /home/giheron/.ssh/id_ed25519-cert type -1
      debug1: Enabling compatibility mode for protocol 2.0
      debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
      debug1: Remote protocol version 2.0, remote software version NCS-4.3.2
      debug1: no match: NCS-4.3.2
      debug1: Authenticating to localhost:2022 as 'admin'
      debug1: SSH2_MSG_KEXINIT sent
      debug1: SSH2_MSG_KEXINIT received
      debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
      debug1: kex: host key algorithm: ssh-rsa
      debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
      debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
      debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
      debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
      debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
      debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
      debug1: Server host key: ssh-rsa SHA256:T0CzmYPZrypHYllwPBw+hlQCgZpQtuFRz9jiVu9roMU
      debug1: Host '[localhost]:2022' is known and matches the RSA host key.
      debug1: Found key in /home/giheron/.ssh/known_hosts:1
      debug1: rekey after 4294967296 blocks
      debug1: SSH2_MSG_NEWKEYS sent
      debug1: expecting SSH2_MSG_NEWKEYS
      debug1: rekey after 4294967296 blocks
      debug1: SSH2_MSG_NEWKEYS received
      debug1: SSH2_MSG_SERVICE_ACCEPT received
      debug1: Authentications that can continue: publickey,password
      debug1: Next authentication method: publickey
      debug1: Trying private key: /home/giheron/.ssh/id_rsa
      debug1: Trying private key: /home/giheron/.ssh/id_dsa
      debug1: Trying private key: /home/giheron/.ssh/id_ecdsa
      debug1: Trying private key: /home/giheron/.ssh/id_ed25519
      debug1: Next authentication method: password

      to check that key I can do:

      giheron@ubuntu:~/.ssh$ ssh-keygen -l -f known_hosts
      2048 SHA256:T0CzmYPZrypHYllwPBw+hlQCgZpQtuFRz9jiVu9roMU |1|J7r4YkXfp17Gb6mYhJPxNOT6qA0=|+MdnkIibfcJU5MW0yz0IV8v8A3k= (RSA)

      so it looks like 2048 bits to me.

      that seems to match the key NSO thinks it's sending:

      giheron@ubuntu:/etc/ncs/ssh$ ssh-keygen -l -f ssh_host_rsa_key.pub
      2048 SHA256:T0CzmYPZrypHYllwPBw+hlQCgZpQtuFRz9jiVu9roMU root@ubuntu (RSA)

      any ideas?

        1. karaf.zip
          560 kB

            giheron@cisco.com Giles Heron
            giheron@cisco.com Giles Heron
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: