Override Default SSHD Keys for CUCM#

Customers with older networking systems and who are using Arbitrator for CUCM collection may wish to override the VOSS Insights system sshd_config default entries with their own cipher values to allow the KexAlgorithms required for legacy systems.

Legacy algorithms are disabled by default in VOSS Insights, which retains only the latest and most secure version of ssh. Older ssh keys have been found to have known flaws.

Some legacy systems (particularly Cisco CUCMs) that interact with VOSS Insights may be unable to upgrade their sshd version. As a result, the legacy system may lose the ability to communicate with VOSS Insights.

Warning

It is recommended that if you choose to override the default values that ship with the system, you must verify, in a separate ssh connection (before ending your current ssh session), that you’re still able to use ssh to access the system. If the file is corrupted as a result of performing this procedure, your access to ssh (and therefore your access to the system) may be compromised.

Do not perform this procedure unless you understand the security implications for your system. If you’re unsure, please contact VOSS Support before making this change.

To modify the sshd_config file:

  1. On the VOSS Insights system where you want to override values, for example, Arbitrator, Dashboard, or DS9, use ssh to log in as admin to the VOSS Insights Administration configuration screen:

    ssh and your admin user account, for example, ssh admin@123

  2. Select Network Configuration.

  3. Select SSHD Config.

  4. On the Current Customer Overrides screen, copy and paste the keys for the relevant algorithms (the ones you wish to use). For example, you may wish to add one or more of the following KexAlgorithms:

    Important

    None of the examples provided here are supported by or recommended by VOSS. This procedure only provides an alternative for legacy CUCMs.

    • ecdh-sha2-nistp521

    • ecdh-sha2-nistp384

    • diffie-hellman-group14-sha1

    • diffie-hellman-group1-sha1

    • diffie-hellman-group-exchange-sha256

    • diffie-hellman-group-exchange-sha1

    You can copy these keys into the screen, in a comma separated list (without spaces), as in the following example, which uses two of these algorithms:

    KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384
    

    For a older CUCMs (e.g. CUCM 11.5.1), add the following:

    KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
    MACs hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
    HostKeyAlgorithms ssh-rsa,ssh-dss
    
  5. Click OK.

  6. Verify that your changes are accepted.

    Note

    If you’ve introduced errors in the copy/paste operation, a system error displays and reverts the change. If you see an error message warning that ssh is unstable, you may need to contact VOSS Support for assistance, or re-paste the keys into the Current Customer Overrides screen and attempt the update again.

  7. Before disconnecting from your current session, open a new ssh session to verify that you can still connect.