Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Cipher suites are changed or upgraded on Data Domain. Avamar is no longer able to log in to the Data Domain using password-less authentication.Avamar logs in to Data Domain using Data Domain's public key in order to exchange certificates when session security features are enabled.The DDR key is also used to update Data Domain in the Avamar AUI and Java UI.There is an article that explains how to change the Data Domain SSH cipher suites and hmacs:How to tune supported ciphers and hashing algorithms for the SSH server in DDOSSymptoms may result in the following error in the Avamar AUI/UI:'Failed to import host or ca automatically' for the Data DomainThis prevents the exchange of certificates between Avamar and Data Domain over SSH connections.
From the contents of the KB Article in the symptoms section:000069763 | How to tune supported ciphers and hashing algorithms for the SSH server in DDOSCipher suites are changed on the DD SSH Server: ddboost@datadomain# adminaccess ssh option show Option Value --------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- session-timeout default (infinite) server-port default (22) ciphers aes128-cbc,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr macs hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com ddboost@datadomain# adminaccess ssh option set ciphers "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com" Adminaccess ssh option "ciphers" set to "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com". ddboost@datadomain# adminaccess ssh option set macs "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" Adminaccess ssh option "macs" set to "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256". ddboost@datadomain# adminaccess ssh option show Option Value --------------- --------------------------------------------------------------------------------------- session-timeout default (infinite) server-port default (22) ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 This change breaks the ability to SSH with the DDR public key from Avamar to Data Domain.This is because the Avamar SSH Client no longer shares a cipher suite with the Data Domain SSH Server. root@avamar:/etc/ssh/#: ssh -i ~admin/.ssh/ddr_key ddboost@datadomain.emc.com Unable to negotiate with 10.11.12.13 port 22: no matching cipher found. Their offer: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
Once SSH cipher suites are updated on Data Domain, we must update the cipher suites on the Avamar SSH client side to match.ActionList the current Avamar SSH Client cipher suites root@avamar:/etc/ssh/#: grep Ciphers /etc/ssh/ssh_config | grep -v "#" Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Edit the ssh_config file and change the last line of the file with the list of Ciphers to include the new ciphers. chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com root@avamar:/etc/ssh/#: vi /etc/ssh/ssh_config After editing the last line of the file, it should look like the following: root@avamar:/etc/ssh/#: grep Ciphers /etc/ssh/ssh_config | grep -v "#" Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Test the SSH cipher suite compatibility using the DDR public key to log in to Data Domain with public key authentication. root@avamar:/etc/ssh/#: ssh -i ~admin/.ssh/ddr_key ddboost@datadomain.emc.com Data Domain OS Last login: Tue Sep 13 10:32:07 EDT 2022 from 10.11.12.13 on pts/1 Welcome to Data Domain OS 6.2.0.30-629757 ----------------------------------------- ** ** NOTICE: There are 5 outstanding alerts. Run "alerts show current" ** to display outstanding alert(s). ** ddboost@datadomain#