With the release of OpenSSH v6.7, weaker ciphers have been disabled. Cisco CUCM has not updated the weaker ciphers used within CUCM as of v11. This causes issues with backups to the OpenSSH versions in the latest distributions. This post walks through the identification of the issue and the correction used in the CollabBackups appliance.
First off, the versions of the test environment:
- Cisco Unified Communications Manager v11.0.1.20000-2
- Ubuntu 16.04
- OpenSSH 7.2p2
The Issue
When attempting to create the backup instance for the CollabBackups appliance, the creation fails with an invalid password. Testing with my credentials allows me to access the server via FileZilla your favorite SFTP server.
Not much help on the surface. Off to the Ubuntu system to take a look at the authentication logs. Within here, we start to get more detail.
Seeing the ciphers mismatch, it was found in other posts the end fix directly relating to CUCM(thanks), but the cause and troubleshooting of the issue was left out. It started in 2014 with the release of OpenSSH 6.7. Within the release notes, it comments that weaker ciphers have been disabled. Indeed Ubuntu 16.04 ships with OpenSSH v7.2.
With the weaker ciphers being disabled for almost two years, maybe it is time to update the available ciphers in CUCM :).
The Fix
With the ability to update the SSH configuration file, the fix is quite straight forward. In Ubuntu 16.04, simply add the line listed below. You can choose one if desired, but if you have multiple platforms and version of Cisco UC that need backed up on your local network, I would recommend adding the list.
Ciphers aes128-cbc,3des-cbc,blowfish-cbc
Inserted into the file:
After a quick restart of the sshd process (or a reboot), the CUCM appliance is now able to access the SFTP server to complete the backups.
Successful Backup