Problem:Since AOS 6.4.4.0 the AOS mobility controllers now only support cbc cipher algorithms. This is outlined in the community post here, http://community.arubanetworks.com/t5/Wireless-Access/SSH-and-AES-CBC/m-p/248919
In Openssh version 6.7 these ciphers have been disabled and customers may find that they are unable to scp files from the mobility controller to their ssh server running openssh 6.7.
http://www.openssh.com/txt/release-6.7
Changes since OpenSSH 6.6
=========================
Potentially-incompatible changes
* sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour*
are disabled by default.
In order to resolve this, the following change is necessary on the given server to the sshd config. The following change was applied to a Raspberry Pi, but should be applicable to any linux based server running openssh 6.7 and above.
- Edit the file as root located at /etc/ssh/sshd_config --> this may vary depending on your distribution
- Insert the following line of config in the file and save.
- Ciphers aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
- Restart the sshd service with the following command, service ssh restart or /etc/init.d/ssh restart --> this may vary depending on your distribution.
Note: Ensure that you have console access to server in case of being locked out and needing to roll back the changes.
You should now be able to copy files from the mobility controller to your ssh server using scp.
Diagnostics:With the default sshd config we can see that CBC ciphers are not offered.
nmap --script ssh2-enum-algos -sV -p 22 192.168.1.101
22/tcp open ssh (protocol 2.0)
| ssh2-enum-algos:
| encryption_algorithms: (6)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| chacha20-poly1305@openssh.com
SF:r(NULL,29,"SSH-2\.0-OpenSSH_6\.7p1\x20Raspbian-5\+deb8u3\r
");
When we attempt to use scp to transfer a file from the mobility controller to ssh server, the following error is seen.
SolutionIn order to resolve this, the following change is necessary on the given server to the sshd config. The following change was applied to a Raspberry Pi, but should be applicable to any linux based server running openssh 6.7 and above.
- Edit the file as root located at /etc/ssh/sshd_config --> this may vary depending on your distribution
- Insert the following line of config in the file and save.
- Ciphers aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
- Restart the sshd service with the following command, service ssh restart or /etc/init.d/ssh restart --> this may vary depending on your distribution.
Note: Ensure that you have console access to server in case of being locked out and needing to roll back the changes.
An nmap scan of the server now shows the following
nmap --script ssh2-enum-algos -sV -p 22 192.168.1.101
22/tcp open ssh (protocol 2.0)
| ssh2-enum-algos:
| encryption_algorithms: (5)
| aes128-cbc
| aes256-cbc
| aes128-ctr
| aes192-ctr
| aes256-ctr
SF:r(NULL,29,"SSH-2\.0-OpenSSH_6\.7p1\x20Raspbian-5\+deb8u3\r
");
You should now be able to copy files from the mobility controller to your ssh server using scp.