[cisco-voip] openSSH / SFT / DRS important FYI

Adam Frankel adamgfrankel at gmail.com
Tue Jun 7 13:02:51 EDT 2016


Thanks Baha.  Appreciate the insight.  Are you aware if this fix will be
available in 10.5(2)?

On Tue, Jun 7, 2016 at 6:58 AM, Baha Akman <makman at cisco.com> wrote:

> Ryan thanks for the heads up.
>
> For those who would like to NOT run with the old CBC based Ciphers and
> keep modifying your sshd_config on your server side, track these defects
> and once you upgrade to versions where they are fixed you won’t have to use
> CBC based Ciphers for various UCM tasks.
>
> CSCur98596<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur98596> -
> DRS support for aes256-ctr ciphers
>
> CSCux74884<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux74884> -
> Platform CLI file get command ssh client Ciphers needs to be updated
>
> Cheers,
>
>> Baha
>
>
>
> On Jun 2, 2016, at 7:41 AM, Ed Leatherman <ealeatherman at gmail.com<mailto:
> ealeatherman at gmail.com>> wrote:
>
> Thanks for the heads up Ryan i'm sure i'd have hit this one sooner or
> later.
>
> On Wed, Jun 1, 2016 at 7:10 PM, Ryan Huff <ryanhuff at outlook.com<mailto:
> ryanhuff at outlook.com>> wrote:
>
> This is an important FYI for anyone that uses OpenSSH, and by extension
> any software that uses OpenSSH. A coworker and I discovered this issue
> today by way of using Linux with OpenSSH as a SFTP>DRS target for UC
> Manager.
>
>
> Applied to context; in the new OpenSSH 7.2p2, which you'll likely run into
> in recent, package managed Linux distributions (Ubuntu, Debian .... etc)
> OpenSSH has disabled weak crypto ciphers by default. Specifically;
> aes128-cbc, 3des-cbc,blowfish-cbc (and the use of no cipher) which as of
> CUCM 11.0.1.21900-11 are still being used.
>
>
> If you hit this issue:
>
>
> In UC Manager if you try to add a backup device that uses OpenSSH 7.2p2
> you'll get, "unable to access SFTP server. Please check username and
> password". Thats because it is failing the key exchange with the OpenSSH
> server and getting spanked.
>
>
> On the OpenSSH side, if you look in the output log (in Linux it is
> typically /var/log/auth.log) you'll see, "Jun  1 14:06:34 SERVER_HOST
> sshd[23578]: fatal: Unable to negotiate with XXX.XXX.XXX.XXX port 33934: no
> matching cipher found. Their offer: aes128-cbc,none,3des-cbc,blowfish-cbc
> [preauth]". The OpenSSH output is handy because it tells you exactly what
> the peer (UC Manager in this case) is looking for.
>
>
> The solution is to add support for 1 or more of these ciphers back into
> the OpenSSH server configuration. Typical Linux distributions have this at
> /etc/ssh/sshd_config and it looks like, "Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc". Just to err on the side of caution I
> would add a few of the ciphers that UC Manager is looking for.
>
>
> Hope this saves some pain,
>
> = Ryan =
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>
>
> --
> Ed Leatherman
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20160607/d683f78c/attachment.html>


More information about the cisco-voip mailing list