<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Great, now he’s going to ask for Macallan 25! I suppose if we split the check it could work!
<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net]
<b>On Behalf Of </b>Lelio Fulgenzi<br>
<b>Sent:</b> Thursday, June 2, 2016 9:57 AM<br>
<b>To:</b> cisco voip <cisco-voip@puck.nether.net><br>
<b>Subject:</b> Re: [cisco-voip] openSSH / SFT / DRS important FYI<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">Ditto from me.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">I think we all owe you a beer, Ryan.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">I say we all get together at Cisco Live and buy Ryan whatever he wants.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">Lelio<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">---<br>
Lelio Fulgenzi, B.A.<br>
Senior Analyst, Network Infrastructure<br>
Computing and Communications Services (CCS)<br>
University of Guelph<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">519</span><span style="font-size:10.0pt;font-family:"Cambria Math",serif;color:black">‐</span><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">824</span><span style="font-size:10.0pt;font-family:"Cambria Math",serif;color:black">‐</span><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">4120
Ext 56354<br>
<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a><br>
<a href="http://www.uoguelph.ca/ccs">www.uoguelph.ca/ccs</a><br>
Room 037, Animal Science and Nutrition Building<br>
Guelph, Ontario, N1G 2W1<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">
<hr size="2" width="100%" align="center" id="zwchr">
</span></div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica",sans-serif;color:black">From:
</span></b><span style="font-family:"Helvetica",sans-serif;color:black">"Ed Leatherman" <<a href="mailto:ealeatherman@gmail.com">ealeatherman@gmail.com</a>><br>
<b>To: </b>"Ryan Huff" <<a href="mailto:ryanhuff@outlook.com">ryanhuff@outlook.com</a>><br>
<b>Cc: </b>"cisco voip" <<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>><br>
<b>Sent: </b>Thursday, June 2, 2016 7:41:20 AM<br>
<b>Subject: </b>Re: [cisco-voip] openSSH / SFT / DRS important FYI<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black">Thanks for the heads up Ryan i'm sure i'd have hit this one sooner or later.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black">On Wed, Jun 1, 2016 at 7:10 PM, Ryan Huff <<a href="mailto:ryanhuff@outlook.com" target="_blank">ryanhuff@outlook.com</a>> wrote:<br>
<br>
<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">This is an important FYI for anyone that uses OpenSSH, and by extension any software that uses OpenSSH. A coworker and I discovered this issue today by way of using Linux
with OpenSSH as a SFTP>DRS target for UC Manager.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">Applied to context; in the new OpenSSH 7.2p2, which you'll likely run into in recent, package managed Linux distributions (Ubuntu, Debian .... etc) OpenSSH has disabled weak
crypto ciphers by default. Specifically; aes128-cbc, 3des-cbc,blowfish-cbc (and the use of no cipher) which as of CUCM 11.0.1.21900-11 are still being used.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">If you hit this issue:<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">In UC Manager if you try to add a backup device that uses OpenSSH 7.2p2 you'll get, "unable to access SFTP server. Please check username and password". Thats because it is
failing the key exchange with the OpenSSH server and getting spanked.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">On the OpenSSH side, if you look in the output log (in Linux it is typically /var/log/auth.log) you'll see, "Jun 1 14:06:34 SERVER_HOST sshd[23578]: fatal: Unable to negotiate
with XXX.XXX.XXX.XXX port 33934: no matching cipher found. Their offer: aes128-cbc,none,3des-cbc,blowfish-cbc [preauth]". The OpenSSH output is handy because it tells you exactly what the peer (UC Manager in this case) is looking for.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">The solution is to add support for 1 or more of these ciphers back into the OpenSSH server configuration. Typical Linux distributions have this at /etc/ssh/sshd_config and
it looks like, "Ciphers aes128-cbc,3des-cbc,blowfish-cbc". Just to err on the side of caution I would add a few of the ciphers that UC Manager is looking for.<o:p></o:p></span></p>
<p style="background:white"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif;color:black">Hope this saves some pain,<br>
<br>
= Ryan =<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
<br clear="all">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black">--
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black">Ed Leatherman<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-family:"Helvetica",sans-serif;color:black"><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
</body>
</html>