Working with a client recently we had huge trouble backup up a Cisco phone system to a local machine for disaster recovery. Cisco provide an interface to use SFTP, so I offered to provide a Raspberry Pi for the backups- surely it couldn’t be that hard?

Well, yes and no…

So I wrote an SD card with the operating system, set up the Pi and then a new username and password for the Cisco device to use for SFTP.

And it didn’t work. After a whole bunch of work, we figured out this was the problem- Cisco has stopped upgrading the ciphers that they were using in 2014, coincidentally around the time that OpenSSH disabled a bunch of old, insecure ciphers…

So here’s the easy way to fix it –
(WARNING, this re-enables the insecure cipher that Cisco uses. I don’t really care because it’s only a RPi, but NASA got hacked through a Pi….)

  1. Try to add the RPi as a backup target from within the Cisco DR interface, and wait for it to fail
  2. Go back to the RPi and check the logs for the error when it fails with
    sudo journalctl -xe
  3. Find the entry that says
    Unable to negotiate with port 22: no matching cipher found. Their offer: aes128-cbc

    So in this case aes128-cbc was the first choice, let’s go with that…
  4. Edit your SSH config with
    sudo nano /etc/ssh/sshd_config
  5. Add this line under the line
    #Ciphers and Keying
    Ciphers aes128-cbc
  6. Restart SSH or reboot your device

And you are done!