CUCM – Unable to add SFTP Backup Device – Some Linux stuff

Few weeks have gone by and I have not written anything for a while **But I still have lots of Drafts in the works. Job has been a bit busy this time of the year so that’s my excuse and I will stick to it 🙂

If you are a UC and Collaboration engineer, you may have under your sleeve few cool solutions to backup your Apps. Well, I have a few too, and I used to crash a lot with the FREE SolarWinds app. But for some reason, this app sometimes fails.

A good solution seems to be a Linux box/VM that you can rely on to always run SSH/SFTP services with no extra applications, just need to make sure the OpenSSH Server is installed. There is some extra configuration, but, if you are like me maybe will find out as you move with configuring your server

The Issue

When configuring a Backup Device you get this message:

“Update failed : Unable to access SFTP server. Please ensure the given SFTP server is a genuine SFTP server”

The Troubleshooting

I opened my SFTP browser on my computer “CyberDuck” and was able to get to the server using SFTP and the user/password combination with no issues

NewImage

The next step is to see why this thing doesn’t work!!! –

Login to the shell on your Linux server and run the following command

ucadmin@myserver:~$ tail -100 /var/log/auth.log | grep sshd

 

This command will provide you with the authorization logs and you will be able to see key information, like CUCM is trying to authenticate with diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 but our SSH/SFTP server is not set to accept this authentication algorithm

Dec 27 12:58:29 myserver sshd[1676]: fatal: Unable to negotiate with xx.xx.xx.xx port 56813: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Dec 27 12:58:29 myserver sshd[1678]: fatal: Unable to negotiate with xx.xx.xx.xx port 56814: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]

 

The Solution

The solution to this is to modify your ssh configuration file, here is the command to get to it

Sudo nano /etc/ssh/sshd_config

 

Add the following 2 lines to the end of the file

	Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
	KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-	nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-	exchange-sha1

 

This last one did the trick for me… not sure about the others, and with different versions of CUCM you may or may not get different results

diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

 

***Note to self and whoever is saying ** Ohh so sweet, he uses nano” –> Yes I use nano text editor… I still have not learned VI, which I keep hearing is the best thing since sliced bread :O

What to Look forward to?

This particular issue may seem like a no big deal for some people… Actually a few days ago it took me quite a while to find the issue + lots of reading on Google 🙂 Now that is documented and I have it at my fingertips I believe I will not have to wast more time

About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration) With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures. You can follow Andres using Twitter, LinkedIn or Facebook

Advertisements

4 thoughts on “CUCM – Unable to add SFTP Backup Device – Some Linux stuff

  1. Thanks for this post, very cool explanation of how you’ve gone about troubleshooting to resolve this issue! A word of warning – you’ve now made both your CUCM and SFTP server susceptible to Logjam. Watch out for some of the really weak ciphers that you’ve introduced.

    https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html
    https://www.openssh.com/legacy.html

    I know it’s not always feasible, but it’s really better to upgrade your CUCM to be able to access necessary functionality to negotiate a better set of cipher suites. Alternatively, in your case, settling just for “diffie-hellman-group-exchange-sha1” would have been best, in my opinion.

    Like

      1. I have just recently gone through a security audit exercise for 11.5 for an entire Collab ecosystem, so this knowledge is also fresh in my mind 🙂 Please ping me if I can help in any way, esp. with questions relating to TLS 1.0/1.1/1.2 and avoiding common vulnerabilities due to incorrect cipher suites.

        Like

      2. Will for sure reach out. After tour previous comment I was already thinking on that. Also a good way/non intrusive way of Securing our precious Uc/Collab applications. That is always a big question I get a lot

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s