Few weeks have gone by and I have not written anything for a while **But I still have lots of Drafts in the works. Job has been a bit busy this time of the year so that’s my excuse and I will stick to it š
If you are a UC and Collaboration engineer, you may have under your sleeve few cool solutions to backup your Apps. Well, I have a few too, and I used to crash a lot with the FREE SolarWinds app. But for some reason, this app sometimes fails.
A good solution seems to be a Linux box/VM that you can rely on to always run SSH/SFTP services with no extra applications, just need to make sure the OpenSSH Server is installed. There is some extra configuration, but, if you are like me maybe will find out as you move with configuring your server
The Issue
When configuring a Backup Device you get this message:
“Update failed : Unable to access SFTP server. Please ensure the given SFTP server is a genuine SFTP server”
The Troubleshooting
I opened my SFTP browser on my computer “CyberDuck” and was able to get to the server using SFTP and the user/password combination with no issues
The next step is to see why this thing doesn’t work!!! –
Login to the shell on your Linux server and run the following command
ucadmin@myserver:~$ tail -100 /var/log/auth.log | grep sshd
This command will provide you with the authorization logs and you will be able to see key information, like CUCM is trying to authenticate with diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 but our SSH/SFTP server is not set to accept this authentication algorithm
Dec 27 12:58:29 myserver sshd[1676]: fatal: Unable to negotiate with xx.xx.xx.xx port 56813: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Dec 27 12:58:29 myserver sshd[1678]: fatal: Unable to negotiate with xx.xx.xx.xx port 56814: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
The Solution
The solution to this is to modify your ssh configuration file, here is the command to get to it
Sudo nano /etc/ssh/sshd_config
Add the following 2 lines to the end of the file
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2- nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group- exchange-sha1
This last one did the trick for me… not sure about the others, and with different versions of CUCM you may or may not get different results
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
***Note to self and whoever is saying ** Ohh so sweet, he uses nano” –> Yes I use nano text editor… I still have not learned VI, which I keep hearing is the best thing since sliced bread :O
What to Look forward to?
This particular issue may seem like a no big deal for some people… Actually a few days ago it took me quite a while to find the issue + lots of reading on Google š Now that is documented and I have it at my fingertips I believe I will not have to wast more time
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.
Thanks for this post, very cool explanation of how you’ve gone about troubleshooting to resolve this issue! A word of warning – you’ve now made both your CUCM and SFTP server susceptible to Logjam. Watch out for some of the really weak ciphers that you’ve introduced.
https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html
https://www.openssh.com/legacy.html
I know it’s not always feasible, but it’s really better to upgrade your CUCM to be able to access necessary functionality to negotiate a better set of cipher suites. Alternatively, in your case, settling just for “diffie-hellman-group-exchange-sha1” would have been best, in my opinion.
You are absolutely right Jonathan, Iām looking forward to upgrade to version 11.x for my client, which I know addresses the issue.
I have just recently gone through a security audit exercise for 11.5 for an entire Collab ecosystem, so this knowledge is also fresh in my mind š Please ping me if I can help in any way, esp. with questions relating to TLS 1.0/1.1/1.2 and avoiding common vulnerabilities due to incorrect cipher suites.
Will for sure reach out. After tour previous comment I was already thinking on that. Also a good way/non intrusive way of Securing our precious Uc/Collab applications. That is always a big question I get a lot
Just ran into fits with this on Ubuntu 18.04 and 20.04, setting up for migrating CUCM 7. The ssh service would not start with blowfish-cbc in the cipher list. The way I figured it out was adding all the ciphers in one at a time and then restarting the service. Sorry, 3 years later, but it may help the next person getting kicked in the teeth by this.
I just put cucm to connect to my open-ssh sftp server with just adding
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
to the configruation. All Cipher maipulation lead to a non starting sshd š
So maybe that helps to others finding this page š