cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

718
Views
0
Helpful
5
Replies
RD77
Beginner

Cisco ISE SFTP backup issue

Hi,

We try to run a backup from an ISE v3.0p5 with an SFTP server.

When I try to add the SFTP key with "crypto host_key add host x.x.x.x", the key is not fetched.

 

When I try to ssh to the SFTP server, I get the following: 

ise-01/admin# ssh x.x.x.x backup
Operating in CiscoSSL FIPS mode
FIPS mode initialized
Unable to negotiate with x.x.x.x. port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

 

I also made a tcpdump and I can see tha the ISE tries to negociate with:

server_host_key_algorithms: ssh-rsa

Where the server replies with:

server_host_key_algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

 

From what I understand the server refuses the server_host_key_algorithms since the key of the ISE server is ssh-rsa.

Is it possible to generate a stronger key for the ISE server ?

Is it the default for ISE?

Thanks

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Expert

@RD77 I don't think it's possible to reconfigure ISE to use different SSH ciphers, previously I've had to reconfigure the sftp server to support the ciphers ISE supports.

View solution in original post

5 REPLIES 5
balaji.bandi
VIP Guru

what is the ISE Version, what SFTP Server here, Looks like cipher issue

 

Unable to negotiate with x.x.x.x. port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

You can add key : ISE server CLI using the command - crypto host_key add

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/215348-how-to-configure-repository-on-identity.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ISE is running 3.0 with patch5

SFTP is running on Ubuntu 22.04 with OPenSSH 8.9

 

From what I can se encryption cyphers are OK.

I can not add the key of the remote server.

 

There are some changes in OpenSSH 8.8 and after:


"Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).

 

Rob Ingram
VIP Expert

@RD77 I don't think it's possible to reconfigure ISE to use different SSH ciphers, previously I've had to reconfigure the sftp server to support the ciphers ISE supports.

This is what we have done at the moment. Hope ISE version will be able to support stronger algorithm for key generation

 

@RD77 one day maybe....I recall this issue from back in the ISE 2.1 days in 2017/2018!!

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube