Solved: Thank you so much for your

rriveraa · ‎10-05-2016

Hello everybody:

I am trying to set a backup on PI 3.0 using SFTP repository, however I am getting the following error when checking the repository:

cpi02-to3-corp/admin# show repository SFTP
6 [6637]: transfer: cars_xfer.c[201] [admin]: sftp dir of repository SFTP requested
6 [6637]: transfer: cars_xfer_util.c[2089] [admin]: resolved server to 10.1.31.121
3 [6637]: transfer: cars_xfer_util.c[2105] [admin]: libssh2 session startup failed
% SSH session setup error

The repository configuration is the following:

repository SFTP
  url  sftp://10.1.31.121/cpi-backups//
  user cpisftp password hash 3c6189f3c5eef5e3d657adb2c28886c887a714ea
repository defaultRepo
  url disk:/defaultRepo

I login to the SFTP server manually and the password is less than 17 characters with no special characters:

ade # sftp -c aes256-cbc cpisftp@10.1.31.121:cpi-backups<mailto:cpisftp@10.1.31.121:cpi-backups>
cpisftp@10.1.31.121's<mailto:cpisftp@10.1.31.121's> password:
Connected to 10.1.31.121.
Changing to: /cpi-backups

I found the following in the SFTP server logs:

Sep 23 08:34:11 ossftp1-to5-corp sshd[11890]: fatal: no matching cipher found: client blowfish-cbc,arcfour128,arcfour,cast128-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes256-cbc

I have been looking for the Prime documentation but there is not information about the Ciphers that Prime needs to be configured.

I am suspecting PI needs specific ciphers in order to communicate with SFTP server. Has anybody seen this behaivor? Is it a bug? Please let me know if you have any recommendation or suggestion.

Thank you.

Rose

Marvin Rhoads · ‎10-06-2016

@Afroz

In this case, the PI server is the ssh client. I Believe we also had this issue when connecting PI to ISE due to cipher mismatch. I thought it was fixed in PI 3.0 but it may have been 3.1.

rriveraa ,

You could try lowering the accepted cipher strength server-side or possibly bring your PI up to the latest version (3.1.3 as of right now).

View solution in original post

AFROJ AHMAD · ‎10-05-2016

Hi Rose,

yes , it is a BUG.

CSCun41202 Weak CBC mode and weak ciphers should be disabled in SSH server

workaround::

Reconfigure any SSH clients not to use weak ciphers like 3des-cbc or blowfish-cbc.

DCNM uses SSH to manage Cisco devices and must be upgraded to at least Cisco NX-OS 7.2(1) to work with devices with this fix.

Thanks-

Afroz

***Ratings Encourages Contributors ****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

rriveraa · ‎10-06-2016

thanks for including the Bug, I appreciate.

Marvin Rhoads · ‎10-06-2016

@Afroz

In this case, the PI server is the ssh client. I Believe we also had this issue when connecting PI to ISE due to cipher mismatch. I thought it was fixed in PI 3.0 but it may have been 3.1.

rriveraa ,

You could try lowering the accepted cipher strength server-side or possibly bring your PI up to the latest version (3.1.3 as of right now).

rriveraa · ‎10-06-2016

Thank you so much for your answer, I am using PI version 3.0, I wil try with 3.1.3.

Prime Infrastructure 3.0 and SFTP repository