[cisco-voip] openSSH / SFT / DRS important FYI

Ed Leatherman ealeatherman at gmail.com
Thu Jun 2 07:41:20 EDT 2016


Thanks for the heads up Ryan i'm sure i'd have hit this one sooner or later.

On Wed, Jun 1, 2016 at 7:10 PM, Ryan Huff <ryanhuff at outlook.com> wrote:

> This is an important FYI for anyone that uses OpenSSH, and by extension
> any software that uses OpenSSH. A coworker and I discovered this issue
> today by way of using Linux with OpenSSH as a SFTP>DRS target for UC
> Manager.
>
>
> Applied to context; in the new OpenSSH 7.2p2, which you'll likely run into
> in recent, package managed Linux distributions (Ubuntu, Debian .... etc)
> OpenSSH has disabled weak crypto ciphers by default. Specifically; aes128-cbc,
> 3des-cbc,blowfish-cbc (and the use of no cipher) which as of CUCM
> 11.0.1.21900-11 are still being used.
>
>
> If you hit this issue:
>
>
> In UC Manager if you try to add a backup device that uses OpenSSH 7.2p2
> you'll get, "unable to access SFTP server. Please check username and
> password". Thats because it is failing the key exchange with the OpenSSH
> server and getting spanked.
>
>
> On the OpenSSH side, if you look in the output log (in Linux it is
> typically /var/log/auth.log) you'll see, "Jun  1 14:06:34 SERVER_HOST
> sshd[23578]: fatal: Unable to negotiate with XXX.XXX.XXX.XXX port 33934: no
> matching cipher found. Their offer: aes128-cbc,none,3des-cbc,blowfish-cbc
> [preauth]". The OpenSSH output is handy because it tells you exactly what
> the peer (UC Manager in this case) is looking for.
>
>
> The solution is to add support for 1 or more of these ciphers back into
> the OpenSSH server configuration. Typical Linux distributions have this at
> /etc/ssh/sshd_config and it looks like, "Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc". Just to err on the side of caution I
> would add a few of the ciphers that UC Manager is looking for.
>
>
> Hope this saves some pain,
>
> = Ryan =
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>


-- 
Ed Leatherman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160602/9fa022d7/attachment.html>


More information about the cisco-voip mailing list