changine backup sftp server questions / problem 1

[bfordz]

Avaya Aura System Platform 5.2.1 w/CM / CMM.
Currently I'm backing up to freeSSHd on a Windows XP machine.
All my backups are going ok.

I want to do away with the WinXP platform machine and I've setup a Ubuntu Server 16.04 machine with the OpenSSH package.

What do I need to do to be able to switch to where I'm sending my backup sftp files?

I set it up and tested it;
my cmm files; announcements, system files, users, etc. all backup ok.

When I try to backup the System Platform files in the same manner I get errors. The log contest shows this error:
Algorithm negotiation fail

I'm using a different box and IP address with the Ubuntu, what do I need to change or setup to make this work?

 

[kyle555]

Check your ssh logs? Presumably the default Avaya ssh configs vs your Ubuntu server's don't support the same negotiation - so it wouldn't be a username/password thing.

Can you ssh from CM to Ubuntu? Can you FTP and not SFTP from CM to Ubuntu? Can you SSH from the Ubuntu box to CM?

 

[bfordz]

kyle555,
Thank you for the response,
I did check my ssh logs and this is what I found:

Oct 26 16:50:31 ubuntu-avbkup sshd[2024]: fatal: Unable to negotiate with xxx.xxx.xxx.56 port 55751: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]

Now I'm not Linux or ssh proficient at all. This is a whole new learning curve for me.
I don't know where to make my changes.

When you say ssh "here to there", I'm lost.

I did find some things via google;

If the client and server are unable to agree on a mutual set of parameters then the connection will fail. OpenSSH (7.0 and greater) will produce an error message like this:

Unable to negotiate with legacyhost: no matching key exchange method found.
Their offer: diffie-hellman-group1-sha1

In this case, the client and server were unable to agree on the key exchange algorithm. The server offered only a single method diffie-hellman-group1-sha1. OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack.

I found this command and ran it:
brads@ubuntu-avbkup:~$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org

Does that mean it should be working?

 

[kyle555]

I think ssh is your Ubuntu's client to access other machines - so, ssh from Ubuntu to CM should work.

sshd is the receiving end of a session on your ubuntu box.

I believe that in the absence of defining ciphers for sshd, you use the defaults, which try to be as secure as possible and remove deprecated ciphers.
Here's a note to the effect of openssh 7 defaulting to not allow diffie-hellman-group1-sha1

https://cygwin.com/ml/cygwin/2015-09/msg00251.html

You probably just need to add the right line to /etc/ssh/sshd_config and restart sshd

Look around... try

http://www.linuxquestions.org/questions/linux-networking-3/sshd-and-kex-algorithms-4175545359/

 

[bfordz]

Thanks kyle555,

I'll look those over and see what I can do.
I'll post back what I find.

 

[bfordz]

kyle555,
I read through those links, thank you!

I added a line to my ssh_config file (sshd_config didn't like it)

KexAlgorithms +diffie-hellman-group1-sha1

Now I've got a different error message:
java.net.ConnectException: Connection refused

I'm not finding as much on that error.
My SSH system logs don't show any errors for that.

Should I jump over to the Linux Forums for this?

 

[kyle555]

yeah...linux

but why java.net connection errors? CM-->Ubuntu and back shouldn't have anything to do with that...

 

[bfordz]

kyle555,
thanks again for the reply;

I'm no further ahead ...
you can ignore the java message that was my fat fingered mistake. I missed that I typed in the wrong IP address, one digit off. Argh!

Still getting the "Algorithm negotiation fail".

 

[kyle555]

Yeah, so key exchange and encryption algorithms are two different things.
Same idea, but different part of the SSH setup that is older in your CM and deprecated in your new ubuntu

https://www.digitalocean.com/commun...ing-the-ssh-encryption-and-connection-process

Ubuntu 16.04's defaults:

http://manpages.ubuntu.com/manpages/wily/man5/sshd_config.5.html

The default is:

aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com




So, this is me ssh'ing with -vv (show all verbose stuff) to myself on a CM6.0.

Try from CLI of your CM to ssh -vv localhost and see what encyrption algorithms it allows and tune accordingly

admin@myCM601> ssh -vv localhost
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/admin/.ssh/identity type -1
debug1: identity file /home/admin/.ssh/id_rsa type -1
debug1: identity file /home/admin/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro                                                                                                                      up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1                                                                                                                      28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c                                                                                                                      tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1                                                                                                                      28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c                                                                                                                      tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open                                                                                                                      ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open                                                                                                                      ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro                                                                                                                      up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1                                                                                                                      28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c                                                                                                                      tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1                                                                                                                      28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c                                                                                                                      tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open                                                                                                                      ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open                                                                                                                      ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 552/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug2: no key of type 0 for host localhost
debug2: no key of type 2 for host localhost

 

[bfordz]

kyle555,
Thanks so much for your time and effort.

I got it figured out finally, after a lot of reading and trial and error.
As you said, an older CM and deprecated in the 'newer' Ubuntu.

I had to add these to my sshd_config file; both lines separately
KexAlgorithms +diffie-hellman-group1-sha1
KexAlgorithms +diffie-hellman-group-exchange-sh1

I still got the same "Algorithm negotiation fail" message but I got a different response message in my ssh logs:
"no matching cipher found. Their offer: aes128-cbc,3des-cbc,blowfish-cbc [preauth]"

I found I had to add another line to my sshd_config file;
Ciphers aes128-cbc,3des-cbc,blowfish-cbc

Now I'm able to backup my Avaya Aura System Platform via SFTP to my Ubuntu Server.

My next step is to setup scheduling; I hope there's no problems with that!

 

[kyle555]

glad to help