Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4895
Views
10
Helpful
8
Replies

ISE 2.3 Patch 4 SFTP Repository SSH issue.

Go to solution
vseward
Level 1
Level 1

‎02-06-2019 01:17 PM

I have created a new SFTP repository on a ISE 2.3 Patch 4 primary admin node both in the CLI and GUI and run the 

Crypto host-key add host URL_of_SFTP server

And I get the error below when I try to validate the repository.  What did I miss for the config?

Repository validation failed due to error - SSH connect error. Verify configuration

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to vseward

‎02-13-2019 07:48 PM

That's ISE saying it will only use aes256-cbc or aes128-cbc. I don't know of any way to adjust the ISE chiper set, but this is certainly supported and modifiable in your Redhat Linux. My Linux skills are rusty, but I think I would start in /etc/ssh/sshd_config.

There should be a ciphers line that you can modify to include the two being suggested by ISE. It would appear that your new version of RHEL changed the default from the sshd man page or someone modified the default. If aes256-cbc and aes128-cbc are still in there then you might have something else handling this connection.


From the sshd man page:

Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are ''3des-cbc'', ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to vseward

‎02-15-2019 09:14 AM

Known limitation -- CSCum13116

View solution in original post

8 Replies 8

Go to solution
howon
Cisco Employee
Cisco Employee

‎02-06-2019 02:39 PM

Have you configured the SFTP server to accept request from the ISE node? Also, check the ADE log (show logging system ade/ADE.log) for more information on why it failed.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to howon

‎02-07-2019 03:03 AM

Are you using the Microsoft version of OpenSSH SFTP server by any chance?  It's an option in Windows10 and I suppose in some of the Server variants too, since Microsoft historically didn't support SFTP in its IIS server.  In that case you need to fiddle around with the allowed cipher suites.  ISE is a bit limited and it does not support CTC ciphers support - and you may have to tell your SFTP server to support some legacy ciphers like aes256-cbc,aes128-cbc etc.

The SFTP Server logs will probably reveal your problem.

0 Helpful

Go to solution
vseward
Level 1
Level 1
In response to Arne Bier

‎02-13-2019 04:26 PM

The SFTP server is Redhat 7.5 and the error in its log is. 

Unable to negotiate with X.X.X.X port 48745: no matching cipher found. Their offer: aes256-cbc,aes128-cbc

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to vseward

‎02-13-2019 07:48 PM

That's ISE saying it will only use aes256-cbc or aes128-cbc. I don't know of any way to adjust the ISE chiper set, but this is certainly supported and modifiable in your Redhat Linux. My Linux skills are rusty, but I think I would start in /etc/ssh/sshd_config.

There should be a ciphers line that you can modify to include the two being suggested by ISE. It would appear that your new version of RHEL changed the default from the sshd man page or someone modified the default. If aes256-cbc and aes128-cbc are still in there then you might have something else handling this connection.


From the sshd man page:

Ciphers
Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are ''3des-cbc'', ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. The default is:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to vseward

‎02-15-2019 09:14 AM

Known limitation -- CSCum13116

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to hslai

‎02-15-2019 01:18 PM

Thanks for sharing that. Good to know it's tracked, hopefully it makes it in to a future release.
0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee

‎02-13-2019 07:24 PM

What do you see if you take capture on ISE for SFTP server? Is three way handshake getting completed?

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-15-2019 11:26 AM

So I posted this in another post relating to scp ISE issues.  See below, this may help you out:

Use this link to setup remote sftp linux repo:

https://www.howtoforge.com/tutorial/how-to-setup-an-sftp-server-on-centos/

 

Don't forget to add the key to ISE:

ise/admin# configure terminal
ise/admin(config)# repository myrepository
ise/admin(config-Repository)# url sftp://ise
ise/admin(config-Repository)# host-key host ise

 

On your server you may see the following errors:

sshd[18546]: fatal: bad ownership or modes for chroot directory "/data/ise" [postauth]

sshd[18351]: fatal: no matching cipher found: client aes256-cbc,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com server aes128-ctr,aes192-ctr,aes256-ctr [preauth]

 

Double check ownership on your directories you are writing to or pulling from. Also, if you need to tweak ciphers modify your sshd_config.

 

Or if you want to use ftp you can do so this way (process should be similar even if attempting to use SCP):

make sure you create local repo
#conf t
#repository REPO
##url disk:

 

copy ftp://XXXXX/FILENAME disk:/

delete FILE disk:/

 

HTH!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents