Hello All, I have weird issues going on with my SRX300-[15.1X49-D170.4] .. I have a user login 'admin' that can log in fine through the PUBLIC interface, but not the internal interface.. This configuration came from a SRX240 for which I just replaced. I changed all the configuration that it didn't like such as vlan.X to irb.X and all the DHCP changes. Plug the device in and all the rules and tunnels came up find. The only thing that doesn't work is logging in via ssh to an internal interface in my trust zone. Not sure how the SSH login process differs based on the interface your logging into?
Everything I've seen has been related to root access. I have the same issue with that account as in the above example as well. I did noticed that updated passwords had a longer hash key, so I updated the password on the admin account to match. Still have same issue. I haven't rebooted the device with fear of it locking out all accounts on all interfaces. I have checked:
show system login lockout User accounts not locked
>>>>>> Logging to the device via internal IP address
Using username "admin". Using keyboard-interactive authentication. Password: Using keyboard-interactive authentication. pam_unix: pam_sm_authenticate: UNIX authentication refused
Access denied Using keyboard-interactive authentication. Password:
>>>>>> Logging to the device via external public IP.
Using username "admin". Using keyboard-interactive authentication. Password: Last login: Tue Mar 5 05:59:13 2019 from XX.XX.XX.XX --- JUNOS 15.1X49-D170.4 built 2019-02-22 22:34:42 UTC admin@XXXXX.SRX300>
I can log into the web interface internally fine with the same admin account as well. Not sure what to look out to be honest.
No one else logged in at the moment.. Not sure how something from an OS level would effect users logging into device. I can see if your going to shell via root or something. Something specific to the inbound interface accepting the connection and the OS PAM module is effecting this is my guess..? Maybe a bug?
set security zones security-zone PUBLIC screen untrust-screen set security zones security-zone PUBLIC host-inbound-traffic system-services ssh set security zones security-zone PUBLIC host-inbound-traffic system-services ping set security zones security-zone PUBLIC interfaces ge-0/0/0.0
<<<<< INTERNAL >>>>>>
set security zones security-zone GREEN host-inbound-traffic system-services all set security zones security-zone GREEN interfaces irb.1001 host-inbound-traffic system-services all set security zones security-zone GREEN interfaces ge-0/0/3.0 host-inbound-traffic system-services all set security zones security-zone GREEN interfaces ge-0/0/3.0 host-inbound-traffic protocols all
OK OK OK ... I'm an idiot.. In my SSH management for this one particular connection, I had another device IP in the configuration, I've been working with that clients devices that its IP just stuck in my head. There is NO problem, I was connecting to the wrong device for which the admin account had a different password.
So, if there is a wall of shame for bonehead misstakes, please place me at the top !!!!