SSH communication
ych
Posts: 44
After upgrading the biamp audio processor system, I was unable to establish SSH communication with the nx3200-c controller. I used putty to test the ssh connection of biamp and found it to be normal. I have upgraded the controller to the latest version: master 1.8.183; Device 1.1.50, the controller will prompt: Line 170 2024-05-14 (11:10:42):: CIpSocketManager:: acceptedSocketConnection (ssh) - failed to handshake;
Line 177 2024-05-14 (11:12:06):/usr/sbin/rsyslogd integrity validated Hashes match: 35aff7109e5ce35b3b03702cdf5eeefb7e260a6c890ad76d1f2fb14b1c88216
I have tried to set the user password for the biamp audio processor to log in, but still receive an error message. Is this issue due to the higher level of SSH encryption in the upgraded version of biamp and the lower level of SSH encryption in the amx controller, resulting in handshake issues? Is there any solution to this problem? Can using DUET solve the problem?
Comments
I saw something similar with the new SVSI N2600 series, when secure control is activated. The N2600 manual states that a SSH is required, but didn't get connected with a similar message.
Later it was found that the manual is confusing, as like with the other SVSI units, secure control is still done by TLS.
With the N2600, connection is TLS_CLIENT_OPEN() with the last parameter set to "1", to ignore certificate errors (here in that case, because of the certificates are self signed).
I understand what you mean. If there is a handshake error prompt, I should use the tls open API interface. Is it possible? If I continue to use the ssh open API and use a key to connect, have you tested this method?
I could not get SSH key exchange to work with Tesira so had to give up and fall back to Telnet. I also tested with a Linux server so I could verify the key exchange works with PuTTY but fails from the NX-2200. On the server end it says "Unable to negotiate...no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]" when the NX-2200 tries to connect. The only key I have listed in authorized_keys on the server is an ssh-rsa key.
I don't know if PuTTYgen is exporting the key into a format the NX-2200 can use, but I'm trying the "Export OpenSSH key" option from the Conversions menu. NetLinx Studio says it loads fine to the NX-2200 in Certificate Manager. We moved the Tesira off the customer network and onto the ICS LAN network so having Telnet open isn't so much of an issue anymore.
I haven't touched any Muse controllers yet, but I imagine modern SSH works fine on those. But then I wouldn't be writing NetLinx code anyway...
Later on, I also used telnet to control biamp. I used Java to test SSH connections and it was normal. If I used duet to build jar packages, it should be feasible because official modules use this method!
In Biamp Tesira 4.7.2 firmware, SSH library has been updated to newer version.
As per release notes: "Updated SSH and HTTPS security to remove deprecated ciphers. Ensure a connected device is running a compatible SSH implementation before proceeding with the update. The up to date SSH version can be obtained via Device Information, License Information in Tesira Device Maintenance."
Newer encryption methods are not supported by Netlinx SSH client, while the one supported by Netlinx are now deprecated on Tesira side.
Good catch, tombadger! I'm pretty sure I wrote my module when the TesiraFORTE X was released, so that was probably before they removed the older ciphers. No serial port on the FORTE X unfortunately.
Telnet works fine as long as I keep the equipment off the customer network.
from the current NX master firmware v1.8.183 NX master firmware
v1.8.161 - Upgraded openssh to version OpenSSH_9.3p2
There is also a new version in progress that supports TLSv1.3
And just to note: the v1.6 branch will no longer be developed.
Start by investigating the SSH cipher precision bearings compatibility between the Biamp processor and the nx3200-c controller.