Avamar: Data Domain Integration: SSH Cipher Suite compatibility

Cipher suites are changed or upgraded on Data Domain (DD or DDR). Avamar is no longer able to log in to the Data Domain using password-less authentication.

Avamar logs in to the Data Domain using Data Domain's public key in order to exchange certificates when session security features are enabled.

The DDR key is also used to update Data Domain in the Avamar Web User Interface (AUI) and Java UI.

There is an article that explains how to change the Data Domain SSH cipher suites and hmacs: How to tune supported ciphers and hashing algorithms for the SSH server in DDOS

Symptoms may result in the following error in the Avamar UI:

Failed to import host or ca automatically

This prevents the exchange of certificates between Avamar and Data Domain over SSH connections.

From the contents of the following article How to tune supported ciphers and hashing algorithms for the SSH server in DDOS (symptoms section):

Cipher suites are changed on the DD SSH Server:

ddboost@datadomain# adminaccess ssh option show 

Option            Value
---------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
session-timeout   default (infinite)
server-port       default (22)
ciphers           aes128-cbc,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
macs              hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com 

ddboost@datadomain# adminaccess ssh option set ciphers "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com"

Adminaccess ssh option "ciphers" set to "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com".

ddboost@datadomain# adminaccess ssh option set macs "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" 

Adminaccess ssh option "macs" set to "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256".

ddboost@datadomain# adminaccess ssh option show 

Option            Value
---------------   ---------------------------------------------------------------------------------------
session-timeout   default (infinite)
server-port       default (22)
ciphers           chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
macs              hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

This change breaks the ability to SSH with the DDR public key from Avamar to Data Domain.

This is because the Avamar SSH Client no longer shares a cipher suite with the Data Domain SSH Server:

root@avamar:/etc/ssh/#: ssh -i ~admin/.ssh/ddr_key ddboost@datadomain.company.com

Unable to negotiate with 10.11.12.13 port 22: no matching cipher found. Their offer: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

Once SSH cipher suites are updated on Data Domain, the cipher suites on the Avamar SSH client side must be updated to match:

1. List the current Avamar SSH Client cipher suites:

root@avamar:/etc/ssh/#: grep Ciphers /etc/ssh/ssh_config | grep -v "#"

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

2. Edit the ssh_config file:

root@avamar:/etc/ssh/#: vi /etc/ssh/ssh_config

3. Change the last line of the file with the list of Ciphers to include the new ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

4. After editing the last line of the file, it should look like the following:

root@avamar:/etc/ssh/#: grep Ciphers /etc/ssh/ssh_config | grep -v "#"

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

5. Test the SSH cipher suite compatibility using the DDR public key to log in to Data Domain with public key authentication:

root@avamar:/etc/ssh/#: ssh -i ~admin/.ssh/ddr_key ddboost@datadomain.compnay.com

Data Domain OS
Last login: Tue Sep 13 10:32:07 EDT 2022 from 10.11.12.13 on pts/1
Welcome to Data Domain OS 6.2.0.30-629757
-----------------------------------------
**
** NOTICE: There are 5 outstanding alerts. Run "alerts show current"
**         to display outstanding alert(s).
**