cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Automated iapp backup

Chause1
Cirrus
Cirrus

Good day,

 

We are testing the automated backup IApp and receive the following error:

 

Unable to negotiate with x.x.x.x port 22: no matching cipher found. Their offer: 3des-cbc,blowfish-cbc

lost connection

f5.automated_backup iApp Automated_Backups: local.ucs REMOTE COPY (SCP) FAILED (check for errors above)

f5.automated_backup iApp Automated_Backups: FINISHED

 

I manually added the Ciphers offered from the remote server and rebooted sshd

Still no luck.

 

Any suggestions?

 

F5 sshd config:

 

modify sshd {

  allow replace-all-with { ALL }

  banner disabled

  banner-text none

  description none

  inactivity-timeout 0

  include "Ciphers aes128-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,blowfish-cbc,3des-cbc"

  log-level info

  login enabled

  port 22

17 REPLIES 17

cjunior
Nacreous
Nacreous

Hi,

 

What iApp are you using? I took a good one here on past (f5.automated_backup.v2.0.tmpl from Thomas Schockaert) and I did some changes on it during these years. One of then was to add "-c cipher" parameter on SCP on implementation section.

So, are you sure you are setting that cipher on right place?

 

Best regards.

 

Chause1
Cirrus
Cirrus

Hi

 

Using this link https://support.f5.com/csp/article/K80425458

 

Using version 3.1.9

Hey, what am I missing?

 

K80425458: Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ system

 

Far as I know, this article is related to change cipher on BIG-IP or BIG-IQ ssh to connect in.

My think is you are trying to connect out from there to send a backup file.

So, I can't find an iApp backup relationship to this article.

 

Am I wrong ? 😞 

 

Respectfully,

Chause1
Cirrus
Cirrus

Only saw that now, ugh!

 

suggestions then?

Yes, you are applying an iApp template, right?

 

Open to edit your iApp template backup. Find on implementation section the "scp" command line and put some cipher parameter on that e.g.:

 

from this:

....... scp -i my.key -P 22 ........

to this:

....... scp -c aes128-ctr -i my.key -P 22 ........  

 

If needed, share your template here and we find it together.

 

Kind regards.

Chause1
Cirrus
Cirrus
 

Chause1
Cirrus
Cirrus

If you can download and extract it will be the version f5.automated_backup.v3.1.9

 

I think you are a lucky buddy,

There is a specific option to you set it, take a look:

 

0691T000008GAjAQAW.png

Just choose the best choice on list and go ahead. ( aes128-ctr never failed to me)

 

Cheers

Ops, passed by me: Write 3des-cbc or blowfish-cbc in cipher field option.

Confirm in command line that BIG-IP can work with those two ciphers presented by server:

 

# ssh -Q cipher

 

Regards 🙂

Chause1
Cirrus
Cirrus

Thanks, seem to have moved a bit further but now it seems that the private and public key is an issue

 

No RSA host key is known for x.x.x.x and you have requested strict checking.

Host key verification failed.

 

OK,

Did you properly exchange the public key from BIG-IP to server?

Is there any issue with server trust?

 

You may run scp (or ssh) on command line to test keys and communication.

e.g.

 

scp -c 3des-cbc -i /thersapriate.key -P 22 /var/local/ucs/backup.ucs admin@10.10.10.10:/destination

 

Take a look on all template information too:

 

StrictHostKeyChecking                             

                          Yes                                               

                          No (INSECURE)                                                         

It is MOST SECURE to select Yes, which is the SCP/SSH default setting and which will not allow connections to unknown servers. A server is considered 'unknown' until an SSH key fingerprint has been verified, or if the destination SSL certificate changes and the fingerprint no longer matches.Selecting 'No (INSECURE)' will ignore certificate verification for connections this iApp makes to the server configured above.TROUBLESHOOTING: If the SCP script fails with a 'Host key verification failed' or 'No RSA host key is known for' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp), review the IMPORTANT steps (under Destination IP) above regarding the known_hosts file to resolve the issue. Also, review additional troubleshooting notes.TROUBLESHOOTING: If the SCP script fails with a 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp), the certificate on the destination server has changed. This could mean 1) The certificate was updated legitimately, or 2) There is an IP conflict and the script is connecting to the wrong server, or 3) the destination server was replaced or rebuilt and has a new certificate, or 4) a bad actor is intercepting the connection (man-in-the-middle) and the script is rightly warning you to not connect. Investigate the destination server before proceeding.Username:Copy/Paste the SSH private key to be used for passwordless authentication:Private key must be non-encrypted and in 'OpenSSH' base64 format. As an example run 'ssh-keygen -t rsa -b 4096 -C f5_backups' from the BIG-IP CLI, step through the questions, and view the resulting private key (by default ssh-keygen will save the key to ~/.ssh/id_rsa).If the Destination Server supports it, you may optionally run 'ssh-copy-id -i /root/.ssh/id_rsa.pub -o Ciphers=aes128-ctr username@destination' (with relevant values) to add the public key to the Destination Server's authorized_keys file (this only needs to be done once per unique key--not from every BIG-IP).Passwords and private keys are stored in an encrypted format. The salt for the encryption algorithm is the F5 cluster's Master Key. The master key is not shared when exporting a qkview or UCS, thus rendering your passwords and private keys safe if a backup file were to be stored off-box.Cipher

 

Cipher

 

This can often be left blank but, depending on the version of F5 TMOS and the ssh configuration of the destination server, there may be no matching ciphers resulting in a 'no matching cipher found' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp or it can be tested/demonstrated by attempting an scp or ssh connection from this device to the destination server). Find the word 'server' in the error and note the ciphers listed; select one of these ciphers from the list above or paste in one not listed. This can be tested by attempting 'ssh -c aes128-ctr username@destination' (with appropriate cipher) from this device's CLI.

 

 

Regards.

Permission denied

 

Did SSH to server and excepted

Warning: Permanently added 'x.x.x.x' (RSA) to the list of known hosts

 

Am I missing something here?

Hello,

Below, a step by step on how to create key and exchange to server:

 

1. Run a ssh-keygen to create private and public keys. Make sure to ignore password data, so only press enter

0691T000008GB19QAG.png

0691T000008GB1JQAW.png

2. Then, copy public key to server:

 

0691T000008GB1OQAW.png

0691T000008GB1iQAG.png

 

3. Check on server if pub key was copied to authorized_keys:

0691T000008GB1sQAG.png

 

4. Try to connect from BIG-IP to server with private key generated before:

0691T000008GB1xQAG.png

**Make sure you can write on backup destination directory

 

5. Back on BIG-IP user shell, try to copy some backup to destination:

0691T000008GB2lQAG.png

BINGO!

 

You must copy this private key and fill it on iApp to run your backup with success:

0691T000008GB27QAG.png

0691T000008GB2CQAW.png

 

Regards.

 

​Awesome!

 

Thanks for your time, I will send the files to the owner of the server in the week and we will test further

 

Thanks for your time and effort, much appreciated

 

 

Wow, I can finally rest my brain 🙂

Mark this question as completed when confirm success or when possible.

It was a pleasure help u

Cheers

Chause1
Cirrus
Cirrus

debug1: Authentication succeeded (password).

Authenticated to 172.x.x.x ([172.x.x.x]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: pledge: network

debug1: Sending environment.

debug1: Sending env LANG = en_US

shell request failed on channel 0

 

 

Chause1
Cirrus
Cirrus

See the following:

 

debug1: Authentication succeeded (password).

Authenticated to 172.x.x.x ([172.x.x.x.]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: pledge: network

debug1: Sending environment.

debug1: Sending env LANG = en_US

shell request failed on channel 0