10.5.11. Troubleshooting ssh access to the firewall

The built-in policy installer will not work if ssh access to the firewall is not working. Test it using this command on Linux (assuming you user "fwadmin" to manage the firewall):

ssh -l fwadmin firewall

If you use the root account to manage the firewall, the command becomes

ssh -l root firewall

On Windows use putty.exe or plink.exe to do this:

C:\Users\vadim>c:\PuTTY\plink.exe -l fwadmin firewall
C:\Users\vadim>c:\PuTTY\plink.exe -l root firewall

If you cannot log in using ssh at this point, verify that the ssh daemon is working on the firewall, that the existing firewall policy does not block ssh access and that ssh daemon configuration in /etc/ssh/sshd_config permits login for root (if you plan to use the root account to manage the policy).

You may get the following error in the installer output (the same error appears if you try to test using SCP or pscp.exe from the command line):

SCP: warning: Executing SCP1 compatibility. 
SCP: FATAL: Executing ssh1 in compatibility mode failed (Check that SCP1 is in your PATH). 
Lost connection 
SSH session terminated, exit status: 1

This error may happen when you run fwbuilder on any platform; it is not specific to putty/pscp.

This error means SCP or pscp.exe was able to connect to the firewall but encountered ssh protocol version mismatch. ssh tried to switch back to ssh1 compatibility mode, but failed. Here is an explanation of the problem: http://www.snailbook.com/faq/SCP-ossh-to-ssh2.auto.html. This really has nothing to do with fwbuilder or even SCP/putty/pscp on the client side. This happens if you have two versions of ssh package installed on the firewall. ssh daemon accepts connection from pscp with ssh protocol v2, starts SCP utility (still on the firewall) but the SCP utility it gets is from the other package and is probably an older version that does not support ssh2 protocol. To resolve this, try switching to sftp. Here is how to test this from the command line. First, reproduce the error:

C:\Users\vadim>c:\PuTTY\pscp.exe test.txt root@firewall:

If this command works, then it should work from inside fwbuilder too. However if you get an error saying SCP: FATAL: Executing ssh1 in compatibility mode failed , try to use sftp.


For this to work, sftp should be enabled on the server side. There are many resources on the web that explain how to do this, for example this article. See also the man page for sshd_config and search for "Subsystem" in it.

C:\Users\vadim>c:\PuTTY\pscp.exe -sftp test.txt root@firewall:


Note that there is only one '-' in front of "sftp" here.

If this works, then you need to add "-sftp" to the list of additional command line parameters for SCP in the "Installer" tab of the firewall object dialog as explained above.

Another common source of problems with SCP and pscp.exe is described in this SSH FAQ. When you use SCP to transfer a file, it actually launches a login shell on the server side. So if your shell initialization script (.profile, .bashrc, .cshrc, etc) produces any kind of output, SCP gets confused and fails.


Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.