[cisco-voip] openSSH / SFT / DRS important FYI
Anthony Holloway
avholloway+cisco-voip at gmail.com
Thu Jun 2 16:26:56 EDT 2016
Well, if you're offering up *anything*, I'll do you one better. Back in
October 2015 I posted a how to article on installing OpenSSH on Windows via
Cygwin, and it has the Cipher fix in it.
http://markmail.org/message/mxfuwonzkoocywqx
On Thu, Jun 2, 2016 at 8:56 AM, Lelio Fulgenzi <lelio at uoguelph.ca> wrote:
>
> Ditto from me.
>
> I think we all owe you a beer, Ryan.
>
> I say we all get together at Cisco Live and buy Ryan whatever he wants.
>
> Lelio
>
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst, Network Infrastructure
> Computing and Communications Services (CCS)
> University of Guelph
>
> 519‐824‐4120 Ext 56354
> lelio at uoguelph.ca
> www.uoguelph.ca/ccs
> Room 037, Animal Science and Nutrition Building
> Guelph, Ontario, N1G 2W1
>
> ------------------------------
> *From: *"Ed Leatherman" <ealeatherman at gmail.com>
> *To: *"Ryan Huff" <ryanhuff at outlook.com>
> *Cc: *"cisco voip" <cisco-voip at puck.nether.net>
> *Sent: *Thursday, June 2, 2016 7:41:20 AM
> *Subject: *Re: [cisco-voip] openSSH / SFT / DRS important FYI
>
>
> Thanks for the heads up Ryan i'm sure i'd have hit this one sooner or
> later.
>
> On Wed, Jun 1, 2016 at 7:10 PM, Ryan Huff <ryanhuff at outlook.com> wrote:
>
>> This is an important FYI for anyone that uses OpenSSH, and by extension
>> any software that uses OpenSSH. A coworker and I discovered this issue
>> today by way of using Linux with OpenSSH as a SFTP>DRS target for UC
>> Manager.
>>
>>
>> Applied to context; in the new OpenSSH 7.2p2, which you'll likely run
>> into in recent, package managed Linux distributions (Ubuntu, Debian ....
>> etc) OpenSSH has disabled weak crypto ciphers by default. Specifically; aes128-cbc,
>> 3des-cbc,blowfish-cbc (and the use of no cipher) which as of CUCM
>> 11.0.1.21900-11 are still being used.
>>
>>
>> If you hit this issue:
>>
>>
>> In UC Manager if you try to add a backup device that uses OpenSSH 7.2p2
>> you'll get, "unable to access SFTP server. Please check username and
>> password". Thats because it is failing the key exchange with the OpenSSH
>> server and getting spanked.
>>
>>
>> On the OpenSSH side, if you look in the output log (in Linux it is
>> typically /var/log/auth.log) you'll see, "Jun 1 14:06:34 SERVER_HOST
>> sshd[23578]: fatal: Unable to negotiate with XXX.XXX.XXX.XXX port 33934: no
>> matching cipher found. Their offer: aes128-cbc,none,3des-cbc,blowfish-cbc
>> [preauth]". The OpenSSH output is handy because it tells you exactly
>> what the peer (UC Manager in this case) is looking for.
>>
>>
>> The solution is to add support for 1 or more of these ciphers back into
>> the OpenSSH server configuration. Typical Linux distributions have this at
>> /etc/ssh/sshd_config and it looks like, "Ciphers
>> aes128-cbc,3des-cbc,blowfish-cbc". Just to err on the side of caution I
>> would add a few of the ciphers that UC Manager is looking for.
>>
>>
>> Hope this saves some pain,
>>
>> = Ryan =
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
> --
> Ed Leatherman
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160602/0d5d50fe/attachment.html>
More information about the cisco-voip
mailing list