SSH password authentication fails after OpenSSH upgrade

After a recent OpenSSH upgrade on SonicWall devices, users may find that SSH connections established via SSH client applications (such as SecureCRT) no longer accept password-based authentication. The SSH session may connect but fail to authenticate, hang at the password prompt, or disconnect immediately without accepting credentials.

This behavior was introduced by an OpenSSH upgrade that disabled support for password-based authentication during SSH session establishment.

Affected Versions

• SonicOS 7.3.0 and above
• SonicOS 8.2.0 and above

Symptoms

• SSH connections via SecureCRT or similar clients fail at the password authentication step
• The SSH session may appear to connect but immediately disconnect or loop
• No error is displayed on the device itself
• Other SSH client behaviors (key-based auth, if configured) may continue to work

Cause

An OpenSSH upgrade applied to SonicWall devices disabled password authentication when establishing an SSH connection. This is a behavioral change in how OpenSSH handles authentication negotiation.

Workaround: SecureCRT Logon Action

A workaround is available for users connecting via SecureCRT. By configuring a Logon Action on the SSH session, SecureCRT can handle the credential exchange in a way that is compatible with the updated OpenSSH behavior.

Steps to Configure Logon Action in SecureCRT

1. Open SecureCRT and locate the affected session in the Session Manager.
2. Right-click the session and select Properties.
3. In the left-hand navigation tree, navigate to Connection | Logon Actions.
4. Click Add to create a new Logon Action.
5. Configure the action to send the appropriate credentials at the expected prompt.
   1. Select the Expect Field to match Password prompt string (e.g., Password: or password:).
   2. Select the Sendfield to the password or use a SecureCRT variable such as %PASSWORD%.
6. Click OK to save the session settings.
7. Reconnect to the SonicWall device using the updated session.
   
   Tip: For additional references, see the official SecureCRT documentation: Tips - SecureCRT Log On Options

Note: This workaround applies to SecureCRT specifically. Users of other SSH clients should refer to their client's documentation for equivalent scripted logon or keyboard-interactive authentication options.