Hey, what am I missing?

K80425458: Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ system

Far as I know, this article is related to change cipher on BIG-IP or BIG-IQ ssh to connect in.

My think is you are trying to connect out from there to send a backup file.

So, I can't find an iApp backup relationship to this article.

Am I wrong ? 😞 

Respectfully,

Yes, you are applying an iApp template, right?

Open to edit your iApp template backup. Find on implementation section the "scp" command line and put some cipher parameter on that e.g.:

from this:

....... scp -i my.key -P 22 ........

to this:

....... scp -c aes128-ctr -i my.key -P 22 ........  

If needed, share your template here and we find it together.

Kind regards.

I think you are a lucky buddy,

There is a specific option to you set it, take a look:

Just choose the best choice on list and go ahead. ( aes128-ctr never failed to me)

Cheers

Ops, passed by me: Write 3des-cbc or blowfish-cbc in cipher field option.

Confirm in command line that BIG-IP can work with those two ciphers presented by server:

# ssh -Q cipher

Regards 🙂

OK,

Did you properly exchange the public key from BIG-IP to server?

Is there any issue with server trust?

You may run scp (or ssh) on command line to test keys and communication.

e.g.

scp -c 3des-cbc -i /thersapriate.key -P 22 /var/local/ucs/backup.ucs admin@10.10.10.10:/destination

Take a look on all template information too:

StrictHostKeyChecking                             

                          Yes                                               

                          No (INSECURE)                                                         

It is MOST SECURE to select Yes, which is the SCP/SSH default setting and which will not allow connections to unknown servers. A server is considered 'unknown' until an SSH key fingerprint has been verified, or if the destination SSL certificate changes and the fingerprint no longer matches.Selecting 'No (INSECURE)' will ignore certificate verification for connections this iApp makes to the server configured above.TROUBLESHOOTING: If the SCP script fails with a 'Host key verification failed' or 'No RSA host key is known for' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp), review the IMPORTANT steps (under Destination IP) above regarding the known_hosts file to resolve the issue. Also, review additional troubleshooting notes.TROUBLESHOOTING: If the SCP script fails with a 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp), the certificate on the destination server has changed. This could mean 1) The certificate was updated legitimately, or 2) There is an IP conflict and the script is connecting to the wrong server, or 3) the destination server was replaced or rebuilt and has a new certificate, or 4) a bad actor is intercepting the connection (man-in-the-middle) and the script is rightly warning you to not connect. Investigate the destination server before proceeding.Username:Copy/Paste the SSH private key to be used for passwordless authentication:Private key must be non-encrypted and in 'OpenSSH' base64 format. As an example run 'ssh-keygen -t rsa -b 4096 -C f5_backups' from the BIG-IP CLI, step through the questions, and view the resulting private key (by default ssh-keygen will save the key to ~/.ssh/id_rsa).If the Destination Server supports it, you may optionally run 'ssh-copy-id -i /root/.ssh/id_rsa.pub -o Ciphers=aes128-ctr username@destination' (with relevant values) to add the public key to the Destination Server's authorized_keys file (this only needs to be done once per unique key--not from every BIG-IP).Passwords and private keys are stored in an encrypted format. The salt for the encryption algorithm is the F5 cluster's Master Key. The master key is not shared when exporting a qkview or UCS, thus rendering your passwords and private keys safe if a backup file were to be stored off-box.Cipher

Cipher

This can often be left blank but, depending on the version of F5 TMOS and the ssh configuration of the destination server, there may be no matching ciphers resulting in a 'no matching cipher found' error (which can viewed in /var/tmp/scriptd.out after deploying this iApp or it can be tested/demonstrated by attempting an scp or ssh connection from this device to the destination server). Find the word 'server' in the error and note the ciphers listed; select one of these ciphers from the list above or paste in one not listed. This can be tested by attempting 'ssh -c aes128-ctr username@destination' (with appropriate cipher) from this device's CLI.

Regards.

Permission denied

Did SSH to server and excepted

Warning: Permanently added 'x.x.x.x' (RSA) to the list of known hosts

Am I missing something here?

Hello,

Below, a step by step on how to create key and exchange to server:

1. Run a ssh-keygen to create private and public keys. Make sure to ignore password data, so only press enter

2. Then, copy public key to server:

3. Check on server if pub key was copied to authorized_keys:

4. Try to connect from BIG-IP to server with private key generated before:

**Make sure you can write on backup destination directory

5. Back on BIG-IP user shell, try to copy some backup to destination:

BINGO!

You must copy this private key and fill it on iApp to run your backup with success:

Regards.

​Awesome!

Thanks for your time, I will send the files to the owner of the server in the week and we will test further

Thanks for your time and effort, much appreciated

Wow, I can finally rest my brain 🙂

Mark this question as completed when confirm success or when possible.

It was a pleasure help u

Cheers