Cisco CallManager DRF backups (SFTP) fail after upgrade OpenSSH 9.8.3.0, legacy ciphers

[scubajasona]

Backups of Cisco CallManager using SFTP to OpenSSH 9.8.3.0 are failing. Previous version that worked was OpenSSH 8.1.p1 Other apps works fine (Filezilla etc) with 9.8.3.0

I opened a support case with Cisco and got this back;
Since our last update, we’ve confirmed that the DRS client in 14.0(1)SU3 only advertises these algorithms today:

• Ciphers
– aes256-ctr, aes256-cbc, aes128-ctr, aes128-cbc
• MACs
– hmac-sha2-256, hmac-sha2-512, hmac-sha1
• KEX
– ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
– diffie-hellman-group14-sha256, diffie-hellman-group16-sha512

At this time there is no published firmware maintenance or feature release date for additional SSH algorithms in CUCM 14.x or 15.x.
In the interim you can continue to support DRS operations by configuring your OpenSSH server to explicitly enable the CUCM-supported algorithms

So I edited my sshd.config and added the below two lines, however now the OpenSSH service will not start, Event ID 7031 The OpenSSH SSH Server service terminated unexpectedly

Ciphers and keying

#RekeyLimit default none
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,Diffie-hellman-group16-sha512
Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

PS C:\program files\openssh> ./sshd.exe -v
unknown option -- v
OpenSSH_for_Windows_9.8p2 Win32-OpenSSH-GitHub, LibreSSL 4.0.0
PS C:\program files\openssh> Get-ComputerInfo
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsProductName : Windows Server 2022 Standard

What am I doing wrong that ssh won't start after I edited sshd_config ?

[tgauth]

To debug sshd, pass in -d instead of -v up to debug level 3 with -ddd

I would also suggest validating the sshd_config changes since it was just modified, using sshd -T

[scubajasona]

PS C:\program files\openssh> ./sshd.exe -ddd
debug2: load_server_config: filename PROGRAMDATA\ssh/sshd_config
debug2: load_server_config: done config len = 2452
debug2: parse_server_config_depth: config PROGRAMDATA\ssh/sshd_config len 2452
debug3: PROGRAMDATA\ssh/sshd_config:20 setting KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,Diffie-hellman-group16-sha512
Unsupported KEX algorithm "Diffie-hellman-group16-sha512"
PROGRAMDATA\ssh/sshd_config line 20: Bad SSH2 KexAlgorithms 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,Diffie-hellman-group16-sha512'.
PS C:\program files\openssh> ./sshd.exe -T
Unsupported KEX algorithm "Diffie-hellman-group16-sha512"
PROGRAMDATA\ssh/sshd_config line 20: Bad SSH2 KexAlgorithms 'ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,Diffie-hellman-group16-sha512'.
PS C:\program files\openssh>

[scubajasona]

I removed the Unsupported and now starting!!! Much thanks. Here is what I added;

Ciphers and keying

#RekeyLimit default none
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com