Switching

I am not able to regenereate SSH keys on an ex4200 that I zeroed out. I can write the keys to /root/.ssh, but apparently they need to go to /etc/ssh/. When I try to write them to /etc/ssh I get "open /etc/ssh/ssh_host_rsa_key failed: Read-only file system." I am not able to use chmod to change the permissions. Has anyone else run into this?

Hello,

Which OS version you are running on EX switches?

I remember there was a bug similar to this.

Can you upgrade to 12.3R4 & check?

Regards,

Rushi

GOT IT! On a hunch I rebooted the switch and broke the boot sequence. I entered single user mode by typing “boot –s”. From there I was able to “chmod +rwx /etc/ssh” and then reboot. Once the switch came up I then entered “start shell user root” and the root password. From there I was able to generate new ssh key by typing “ssh-keygen –t rsa –f /etc/ssh/” and it worked.

Here is a write up I did after recreating the problem a few times.

Problem: When trying to SSH into Juniper get this error on your PC:

              "ssh_exchange_identification: Connection closed by remote host"

*This is on a fresh switch that was completely zeroed. Zeroing will remove necessary files needed for SSH.
   
SOLUTION:
1. From the CLI type "start shell user root" and enter the root password.

2. Enter "/usr/sbin/sshd" from the shell and see if you get errors.
    A. If you get these errors go to step 3:
               "Could not load host key: /etc/ssh/ssh_host_rsa_key
                Could not load host key: /etc/ssh/ssh_host_dsa_key
                Could not load host key: /etc/ssh/ssh_host_ecdsa_key
                Disabling protocol version 2. Could not load host key
                Sshd: no hostkeys available -- exiting"

    B. If you get this error go to step 4:
                "Missing privilege separation directory: /var/empty"

3. Create new key by entering "ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key"
   -If you get "read-only filesystem" error follow these steps:
    A. Type "chmod +rwx /etc/ssh/" in the shell then try again to generate they key.
       If you get the same "read-only filesystem" message continue:
    B. Reboot the switch and pay close attention. Hit the SPACE BAR when you see:
       "Hit [Enter] to boot immediately, or space bar for command prompt."
    C. Enter "boot -s" to boot into single user mode.
    D. When prompted hit ENTER "for /bin/sh"
    E. When the shell is ready enter "chmod +rwx /etc/ssh/" to allow read,write and execute in the folder.
    F. Reboot the switch by entering "reboot" in the shell.
    G. Login to the switch and start the shell as root.
    H. Enter "ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key" in the shell.
    I. When prompted, choose "y" to overwrite and leave the passphrase blank.

4. Create the missing directory by entering "mkdir /var/empty" in the shell.

5. Again enter "/usr/sbin/sshd" in the shell to confirm errors have gone away.

6. SSH from your computer like a boss.

Another solution, without a reboot, similar to the above:

Run from shell as root "/usr/sbin/sshd":  and review the errors:

               "Could not load host key: /etc/ssh/ssh_host_rsa_key
                Could not load host key: /etc/ssh/ssh_host_dsa_key
                Could not load host key: /etc/ssh/ssh_host_ecdsa_key
                Disabling protocol version 2. Could not load host key
                Sshd: no hostkeys available -- exiting"

Solution that worked for me, perform keygen and overwrite for each error, so for the above:

as root from shell:

"ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key"

"ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key"

"ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key"

Run from shell as root "/usr/sbin/sshd":   should be no errors or complaints.  ssh works now