headers
Benjamin Krajmalnik | 29 May 2012 23:45
Picon

Issue connecting to Netscreen/Juniper devices

I have written a wrapper for LibSSH2 for Clarion, and while I have
been successful accessing Unix devices without any issue, I am having
issues accessing Juniper/Netscreen devices.
I am using LibSSH <at>  ver. 1.2.7 (windows binaries).
The steps I am following are:

1.  Create a socket  - no errors
2.  Connect to the socket - no errors
3.  Call libssh2_init (Flags set to 0) - no errors
4. Call libssh2_session_init_ex(0, 0, 0, 0) - no errors
5. Call libssh2_session_startup(session, socket) - no errors
I proceed through the authentication process without any errors.

Once I have authenticated, I attempt to open a channel shell as follows:
Session type is set to 'session',

    SELF.ChannelShell = PARENT.channel_open_ex(SELF.Session,
ADDRESS(SessionType), LEN(SessionType),
LIBSSH2_CHANNEL_WINDOW_DEFAULT, LIBSSH2_CHANNEL_PACKET_DEFAULT, 0, 0)

     IF SELF.ChannelShell = 0
        FunctionName = ' - (channel_open_ex)'
        BREAK
     END

     IF PARENT.channel_request_pty_ex(SELF.ChannelShell,
ADDRESS(STerm), LEN(STerm), 0, 0, TermWidth, TermHeight,
LIBSSH2_TERM_WIDTH_PX, LIBSSH2_TERM_HEIGHT_PX) <> 0
        FunctionName = ' - (channel_request_pty_ex)'
        BREAK
(Continue reading)

Permalink | Reply |
headers
Peter Stuge | 30 May 2012 01:10
Picon

Re: Issue connecting to Netscreen/Juniper devices

Benjamin Krajmalnik wrote:
> I have written a wrapper for LibSSH2 for Clarion, and while I have
> been successful accessing Unix devices without any issue, I am having
> issues accessing Juniper/Netscreen devices.

Can you log in to the device using OpenSSH? Both using -t and -T
(one at a time) options?

//Peter
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 30 May 2012 03:13
Picon

Re: Issue connecting to Netscreen/Juniper devices

Connected from a FreeBSD box using OpenSSH 4.5.
Either option (-t and -T) worked fine.
The one difference I can see is that the windows build which I am
running is built with libcrypt (it is the latest windows binary which
was available - 1.2.7) whereas the OpenSSH on FreeBSD is built with
OpenSSL.

Only difference between both methods was that -t gave me e "--- more
---" prompt between pages, whereas -T just displayed all rows from a
command without stopping.

On Tue, May 29, 2012 at 5:10 PM, Peter Stuge <peter@...> wrote:
> Benjamin Krajmalnik wrote:
>> I have written a wrapper for LibSSH2 for Clarion, and while I have
>> been successful accessing Unix devices without any issue, I am having
>> issues accessing Juniper/Netscreen devices.
>
> Can you log in to the device using OpenSSH? Both using -t and -T
> (one at a time) options?
>
>
> //Peter
> _______________________________________________
> libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 5 Jun 2012 20:18
Picon

Re: Issue connecting to Netscreen/Juniper devices

Peter, did you need any more info from me concerning this issue?
As I mentioned previously both switches dealing with the
pseudoterminal worked fine from OpenSSH.
If you need access to a device, I will be more than happy to make one
available for you to access.
I was running the 1.27 version of LibSSH2 which is the latest I had found.
Still trying to get a hold of a 1.4.1 windows DLL set.

On Tue, May 29, 2012 at 7:13 PM, Benjamin Krajmalnik
<bkrajmalnik@...> wrote:
> Connected from a FreeBSD box using OpenSSH 4.5.
> Either option (-t and -T) worked fine.
> The one difference I can see is that the windows build which I am
> running is built with libcrypt (it is the latest windows binary which
> was available - 1.2.7) whereas the OpenSSH on FreeBSD is built with
> OpenSSL.
>
> Only difference between both methods was that -t gave me e "--- more
> ---" prompt between pages, whereas -T just displayed all rows from a
> command without stopping.
>
>
> On Tue, May 29, 2012 at 5:10 PM, Peter Stuge <peter@...> wrote:
>> Benjamin Krajmalnik wrote:
>>> I have written a wrapper for LibSSH2 for Clarion, and while I have
>>> been successful accessing Unix devices without any issue, I am having
>>> issues accessing Juniper/Netscreen devices.
>>
>> Can you log in to the device using OpenSSH? Both using -t and -T
>> (one at a time) options?
(Continue reading)

Permalink | Reply |
headers
Guenter | 5 Jun 2012 20:56

Re: Issue connecting to Netscreen/Juniper devices

Hi Benjamin,
Am 05.06.2012 20:18, schrieb Benjamin Krajmalnik:
> Still trying to get a hold of a 1.4.1 windows DLL set.
if MinGW DLLs are ok for you then try this archive:
http://curl.haxx.se/gknw.net/7.26.0/dist-w32/curl-7.26.0-devel-mingw32.zip
it contains libssh2 1.4.2 as well as openssl and zlib DLLs.

Gün.

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 6 Jun 2012 08:07
Picon

Re: Issue connecting to Netscreen/Juniper devices

Hi Guenther,

Thank you very much for the build.  Unfortunately, the way I have it
coded is still giving me an error "Unable to complete request for
channel request_pty(error code -22).
I wonder if anyone has been able to get it to connect, maybe using a
different set of API calls.

Peter, the build Guenther was so kind to point me to uses OpenSSL so
it now was an even comparison.  As mentioned, I am able to access the
firewall via SSH with OpenSSH, putty, SecureCRT - pretty much every
client I have tried so far.  libssh2 with the sequence of commands I
documented above is failing.
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 6 Jun 2012 09:23
Picon

Re: Issue connecting to Netscreen/Juniper devices

Peter,
Have been playing a bit more, and have some new findings.
On the newer models (SSG series as opposed to the NS series), I was
able to make it work.  I am going to play some more with it tomorrow
on the older version and see if I can get it to work. I think it is
just a matter of the old version not being as forgiving as the new
one.  Will keep you posted.  Thanks to everyone for your help.
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 7 Jun 2012 03:08
Picon

Re: Issue connecting to Netscreen/Juniper devices

I made some changes to the code but still cannot get it to connect to
the older netscreens.
I went back to connect using OpenSSH, and it definitely behaves nicer
(as intended) using the -t option.
I added some debugging code into my interface to see what is going on
outside the library (in my code) and compared the behavior between
connecting to a Unix SSH server or a newer gen Netscreen.
From what I can see anytime we try to create a pseudoterminal we are
getting an error -22 (LIBSSH2_ERROR_CHANNEL_REQUEST_DENIED).
Whatever is going on is happening within the process, so I have no way
of seeing what is going on.
I thought maybe it was an issue of the terminal type, so I changed the
code to send "vt100" instead of "vanilla", but to no avail.
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Daniel Stenberg | 7 Jun 2012 10:03
Picon
Favicon
Gravatar

Re: Issue connecting to Netscreen/Juniper devices

On Wed, 6 Jun 2012, Benjamin Krajmalnik wrote:

> From what I can see anytime we try to create a pseudoterminal we are
> getting an error -22 (LIBSSH2_ERROR_CHANNEL_REQUEST_DENIED).

That sounds serious enough. Do you have a trace log for that?

--

-- 

  / daniel.haxx.se
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 7 Jun 2012 19:45
Picon

Re: Issue connecting to Netscreen/Juniper devices

Daniel, I do not.  I am running on a Windows environment from a DLL
created by Gunter, so I do not know if trace is enabled on it or not..
 If you would like, I can give you access to a device which is
exhibiting this problem so you can check first hand anything you need.

On Thu, Jun 7, 2012 at 2:03 AM, Daniel Stenberg <daniel@...> wrote:
> On Wed, 6 Jun 2012, Benjamin Krajmalnik wrote:
>
>> From what I can see anytime we try to create a pseudoterminal we are
>> getting an error -22 (LIBSSH2_ERROR_CHANNEL_REQUEST_DENIED).
>
>
> That sounds serious enough. Do you have a trace log for that?
>
> --
>
>  / daniel.haxx.se
> _______________________________________________
> libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Daniel Stenberg | 7 Jun 2012 19:56
Picon
Favicon
Gravatar

Re: Issue connecting to Netscreen/Juniper devices

On Thu, 7 Jun 2012, Benjamin Krajmalnik wrote:

> Daniel, I do not.  I am running on a Windows environment from a DLL created 
> by Gunter, so I do not know if trace is enabled on it or not.. If you would 
> like, I can give you access to a device which is exhibiting this problem so 
> you can check first hand anything you need.

I can't guarantee anything but I could certainly try to give a shot! Feel free 
to contact me off-list if you'd prefer that for this sort of info.

--

-- 

  / daniel.haxx.se
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |
headers
Benjamin Krajmalnik | 8 Jun 2012 04:44
Picon

Re: Issue connecting to Netscreen/Juniper devices

Daniel,

I may have found something which may point us in the right direction.
Per Juniper Release notes:

Addressed Issues in ScreeenOS 5.4.0r24 (highest version release for NS50):
677457 – Open SSH 5.8 client with pty-req greater than 256 bytes fails
with “PTY allocation request failed” error.

We were getting an access denied, but maybe it is the same.
I will try to have the firmware on one of the problematic devices
upgraded to this release to see if it fixes the problem, but if we can
see if the req > 256 bytes then we at least know what is causing the
problem.

>
> I can't guarantee anything but I could certainly try to give a shot! Feel
> free to contact me off-list if you'd prefer that for this sort of info.
>
>
> --
>
>  / daniel.haxx.se
> _______________________________________________
> libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
(Continue reading)

Permalink | Reply |
headers
Guenter | 8 Jun 2012 02:56

Re: Issue connecting to Netscreen/Juniper devices

Hi,
Am 07.06.2012 19:45, schrieb Benjamin Krajmalnik:
> Daniel, I do not.  I am running on a Windows environment from a DLL
> created by Gunter, so I do not know if trace is enabled on it or not..
no, since its a release build ...

I can create a libssh2 statically linked library with debug trace 
enabled for ya if that helps;
but its really simple to build it self as others also already suggested; 
its nothing more than downloading one archive from me which contains 
everything of MinGW you need + the libssh2 sources (daily snapshot for a 
simple start, or git clone);
then one command to compile it, and done ...; oh, well almost: you also 
need the dependency openssl, but I can provide that to you too ...
I'm glad to help you setting up this stuff - feel free to contact me 
directly.
Also think of the benefits: you're always able to check latest stuff, 
and if we can nail a bug + fix it then this becomes important so that 
you can verify the fix .....

Gün.

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Permalink | Reply |

Gmane