Forum Discussion

Chause1's avatar
Chause1
Icon for Cirrus rankCirrus
Feb 14, 2020

Automated iapp backup

Good day,

 

We are testing the automated backup IApp and receive the following error:

 

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: 3des-cbc,blowfish-cbc

lost connection

f5.automated_backup iApp Automated_Backups: local.ucs REMOTE COPY (SCP) FAILED (check for errors above)

f5.automated_backup iApp Automated_Backups: FINISHED

 

I manually added the Ciphers offered from the remote server and rebooted sshd

Still no luck.

 

Any suggestions?

 

F5 sshd config:

 

modify sshd {

  allow replace-all-with { ALL }

  banner disabled

  banner-text none

  description none

  inactivity-timeout 0

  include "Ciphers aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,blowfish-cbc,3des-cbc"

  log-level info

  login enabled

  port 22

17 Replies

  • Hi,

     

    What iApp are you using? I took a good one here on past (f5.automated_backup.v2.0.tmpl from Thomas Schockaert) and I did some changes on it during these years. One of then was to add "-c cipher" parameter on SCP on implementation section.

    So, are you sure you are setting that cipher on right place?

     

    Best regards.

     

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      Hey, what am I missing?

       

      K80425458: Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ system

       

      Far as I know, this article is related to change cipher on BIG-IP or BIG-IQ ssh to connect in.

      My think is you are trying to connect out from there to send a backup file.

      So, I can't find an iApp backup relationship to this article.

       

      Am I wrong ? :( 

       

      Respectfully,

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      Yes, you are applying an iApp template, right?

       

      Open to edit your iApp template backup. Find on implementation section the "scp" command line and put some cipher parameter on that e.g.:

       

      from this:

      ....... scp -i my.key -P 22 ........

      to this:

      ....... scp -c aes128-ctr -i my.key -P 22 ........  

       

      If needed, share your template here and we find it together.

       

      Kind regards.

  • If you can download and extract it will be the version f5.automated_backup.v3.1.9

     

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      I think you are a lucky buddy,

      There is a specific option to you set it, take a look:

       

      Just choose the best choice on list and go ahead. ( aes128-ctr never failed to me)

       

      Cheers

      • cjunior's avatar
        cjunior
        Icon for Nacreous rankNacreous

        Ops, passed by me: Write 3des-cbc or blowfish-cbc in cipher field option.

        Confirm in command line that BIG-IP can work with those two ciphers presented by server:

         

        # ssh -Q cipher

         

        Regards :)

  • Thanks, seem to have moved a bit further but now it seems that the private and public key is an issue

     

    No RSA host key is known for x.x.x.x and you have requested strict checking.

    Host key verification failed.

     

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous

      OK,

      Did you properly exchange the public key from BIG-IP to server?

      Is there any issue with server trust?

       

      You may run scp (or ssh) on command line to test keys and communication.

      e.g.

       

      scp -c 3des-cbc -i /thersapriate.key -P 22 /var/local/ucs/backup.ucs admin@10.10.10.10:/destination

       

      Take a look on all template information too:

       

      StrictHostKeyChecking                             

                                Yes                                               

                                No (INSECURE)                                                         

      It is MOST SECURE to select Yes, which is the SCP/SSH default setting and which will not allow connections to unknown servers. A server is considered 'unknown' until an SSH key fingerprint has been verified, or if the destination SSL certificate changes and the fingerprint no longer matches.Selecting 'No (INSECURE)' will ignore certificate verification for connections this iApp makes to the server configured above.TROUBLESHOOTING: If the SCP script fails with a 'Host key verification failed' or 'No RSA host key is known for' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp), review the IMPORTANT steps (under Destination IP) above regarding the known_hosts file to resolve the issue. Also, review additional troubleshooting notes.TROUBLESHOOTING: If the SCP script fails with a 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp), the certificate on the destination server has changed. This could mean 1) The certificate was updated legitimately, or 2) There is an IP conflict and the script is connecting to the wrong server, or 3) the destination server was replaced or rebuilt and has a new certificate, or 4) a bad actor is intercepting the connection (man-in-the-middle) and the script is rightly warning you to not connect. Investigate the destination server before proceeding.Username:Copy/Paste the SSH private key to be used for passwordless authentication:Private key must be non-encrypted and in 'OpenSSH' base64 format. As an example run 'ssh-keygen -t rsa -b 4096 -C f5_backups' from the BIG-IP CLI, step through the questions, and view the resulting private key (by default ssh-keygen will save the key to ~/.ssh/id_rsa).If the Destination Server supports it, you may optionally run 'ssh-copy-id -i /root/.ssh/id_rsa.pub -o Ciphers=aes128-ctr username@destination' (with relevant values) to add the public key to the Destination Server's authorized_keys file (this only needs to be done once per unique key--not from every BIG-IP).Passwords and private keys are stored in an encrypted format. The salt for the encryption algorithm is the F5 cluster's Master Key. The master key is not shared when exporting a qkview or UCS, thus rendering your passwords and private keys safe if a backup file were to be stored off-box.Cipher

       

      Cipher

       

      This can often be left blank but, depending on the version of F5 TMOS and the ssh configuration of the destination server, there may be no matching ciphers resulting in a 'no matching cipher found' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp or it can be tested/demonstrated by attempting an scp or ssh connection from this device to the destination server). Find the word 'server' in the error and note the ciphers listed; select one of these ciphers from the list above or paste in one not listed. This can be tested by attempting 'ssh -c aes128-ctr username@destination' (with appropriate cipher) from this device's CLI.

       

       

      Regards.

      • Chause1's avatar
        Chause1
        Icon for Cirrus rankCirrus

        Permission denied

         

        Did SSH to server and excepted

        Warning: Permanently added 'x.x.x.x' (RSA) to the list of known hosts

         

        Am I missing something here?

  • debug1: Authentication succeeded (password).

    Authenticated to 172.x.x.x ([172.x.x.x]:22).

    debug1: channel 0: new [client-session]

    debug1: Entering interactive session.

    debug1: pledge: network

    debug1: Sending environment.

    debug1: Sending env LANG = en_US

    shell request failed on channel 0

     

     

  • See the following:

     

    debug1: Authentication succeeded (password).

    Authenticated to 172.x.x.x ([172.x.x.x.]:22).

    debug1: channel 0: new [client-session]

    debug1: Entering interactive session.

    debug1: pledge: network

    debug1: Sending environment.

    debug1: Sending env LANG = en_US

    shell request failed on channel 0