Working with a client recently we had huge trouble backup up a Cisco phone system to a local machine for disaster recovery. Cisco provide an interface to use SFTP, so I offered to provide a Raspberry Pi for the backups- surely it couldn’t be that hard?
Well, yes and no…
So I wrote an SD card with the operating system, set up the Pi and then a new username and password for the Cisco device to use for SFTP.
And it didn’t work. After a whole bunch of work, we figured out this was the problem- Cisco has stopped upgrading the ciphers that they were using in 2014, coincidentally around the time that OpenSSH disabled a bunch of old, insecure ciphers…
So here’s the easy way to fix it –
(WARNING, this re-enables the insecure cipher that Cisco uses. I don’t really care because it’s only a RPi, but NASA got hacked through a Pi….)
- Try to add the RPi as a backup target from within the Cisco DR interface, and wait for it to fail
- Go back to the RPi and check the logs for the error when it fails with
sudo journalctl -xe
- Find the entry that says
Unable to negotiate with 192.168.100.14 port 22: no matching cipher found. Their offer: aes128-cbc
So in this case aes128-cbc was the first choice, let’s go with that…
- Edit your SSH config with
sudo nano /etc/ssh/sshd_config
- Add this line under the line
#Ciphers and Keying
- Restart SSH or reboot your device
And you are done!