Cisco Unity and UCM - Reset SSH Keys

jrc

So both my Cisco Unity and UCM servers have stopped doing SFTP backups, and I strongly suspect this is due to the SSH keys going wonky. I can ping the SFTP server from Unity and I can SFTP into the server from any other client, but both say "Unable to Connect" when I try to get to connect (it took me about an hour to get that much out of the systems, they just say "Error" in most places with little indication of what the error was).

So how do I go in and delete/reset the SSH keys it uses for SFTP?

scottalanmiller

Depends on your SFTP server.

jrc

@scottalanmiller said in Cisco Unity and UCM - Reset SSH Keys:

Depends on your SFTP server.

Sorry, I guess I was not clear. The keys in question are the local ones on the Unity and UCM side. This would be similar to how you'd empty out the ssh/known_hosts file on a regular linux machine. IE the keys used by the client to verify that the server is the same one that it connected to in the past.

As I said there is nothing wrong with my SFTP server, I can connect to it just fine from other machines, and even ping it from Unity and UCM.

scottalanmiller

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller said in Cisco Unity and UCM - Reset SSH Keys:

Depends on your SFTP server.

Sorry, I guess I was not clear. The keys in question are the local ones on the Unity and UCM side. This would be similar to how you'd empty out the ssh/known_hosts file on a regular linux machine. IE the keys used by the client to verify that the server is the same one that it connected to in the past.

As I said there is nothing wrong with my SFTP server, I can connect to it just fine from other machines, and even ping it from Unity and UCM.

Generally you just generate new ones... ssh-keygen

jrc

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

travisdh1

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

Uhm, it's all SSH, nothing changes between vendors in how SSH functions. You've got broken keys somewhere in the chain. The fix is generally exactly what @scottalanmiller said, you reissue the ssh keys for the devices and distribute those new public keys. Removing an existing ssh key should be quite easy, older versions just edit the known_hosts file and remove the line with the device having issues and the latest SSH versions give you instructions on how to accomplish this right in the command line your using.

scottalanmiller

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

I see. but UCM lacks a known_hosts file?

jrc

@travisdh1 said in Cisco Unity and UCM - Reset SSH Keys:

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

Removing an existing ssh key should be quite easy, older versions just edit the known_hosts file and remove the line with the device having issues and the latest SSH versions give you instructions on how to accomplish this right in the command line your using.

Exactly right, I know this is more than likely the solution and my question is how do I do that on Cisco's Unity and UCM platforms? This is the core question I am asking, regenerating the keys won't do a thing for me if I cannot answer this question.

jrc

@scottalanmiller said in Cisco Unity and UCM - Reset SSH Keys:

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

I see. but UCM lacks a known_hosts file?

I have no idea. I am asking what the Cisco Unity and USCM equivalent is, and how do to the equivalent action (edit and remove) on them.

coliver

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller said in Cisco Unity and UCM - Reset SSH Keys:

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

I see. but UCM lacks a known_hosts file?

I have no idea. I am asking what the Cisco Unity and USCM equivalent is, and how do to the equivalent action (edit and remove) on them.

Do you have smartnet?

scottalanmiller

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@travisdh1 said in Cisco Unity and UCM - Reset SSH Keys:

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

Removing an existing ssh key should be quite easy, older versions just edit the known_hosts file and remove the line with the device having issues and the latest SSH versions give you instructions on how to accomplish this right in the command line your using.

Exactly right, I know this is more than likely the solution and my question is how do I do that on Cisco's Unity and UCM platforms? This is the core question I am asking, regenerating the keys won't do a thing for me if I cannot answer this question.

Right, I get it now, you are using SSH from UCS, but don't know where its files are kept.

jrc

@coliver said in Cisco Unity and UCM - Reset SSH Keys:

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller said in Cisco Unity and UCM - Reset SSH Keys:

@jrc said in Cisco Unity and UCM - Reset SSH Keys:

@scottalanmiller

I don't think you are understanding my issue.

When an SSH client connects to a SSH server with a username and password you get asked if you want to trust the connection based on the key your client gets handed, this key is then added into your .ssh/known_hosts, this is then used every time you connect to make sure the server is the same one as last time. If that server gets retired and/or another one ends up on it's IP you cannot connect as the SSH client throws up a warning saying the cached key does not match. You can then go into the known_hosts file and simply remove the cached key and it will then connect.

This is what I am asking, what is the equivalent way to do this on a Unity and UCM ? Their cached keys no longer match the SFTP server and therefore they cannot connect (SSH won't let them).

I have no idea how to explain this better so hopefully this helps clear it up.

I see. but UCM lacks a known_hosts file?

I have no idea. I am asking what the Cisco Unity and USCM equivalent is, and how do to the equivalent action (edit and remove) on them.

Do you have smartnet?

If I did I'd not be asking here, I'd be in the phone with a Cisco engineer. SmartNET on these two are way out of our budget (quoted us $8k per year).

anthonyh

I don't know if this will be of much help, but here is an article that details how to get true "root" access to CUCM. Under the hood it's basically a RHEL/CentOS install.

http://www.uccollaborationgeek.com/root-access-cucm/

Skimming the article it is a bit involved, but maybe will lead you to the access you need to fix the SSH issue? shrugs

If I had to guess, I bet the same process will work for Unity as well.