Comprehensive data protection for all workloads
Post Reply
adlerweb
Lurker
Posts: 1
Liked: never
Joined: Jun 26, 2015 9:28 am
Full Name: Florian Knodt
Contact:
Contact adlerweb

Info: Veeam can not connect to OpenSSH >=8.8

Post by adlerweb »

Hi,

heads up for those living on bleeding edge systems: OpenSSH 8.8, released 2021-09-26, disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K.

Veeam B&R (<=11.0.0.837) still uses SHA-1 in some connections, these will loose connectivity if you update the remote system. In my case I could no longer use a NAS as backup target/source, while tests worked fine.

Veeam:

Code: Select all

Error: An established connection was aborted by the server.
(more at end of post)

Remote:

Code: Select all

sshd: Unable to negotiate with **IP** port **PORT**: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
To reenable these broken algorithms at your own risk edit your sshd configuration (usually /etc/ssh/sshd_config) and add the following lines:

Code: Select all

HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
(Note: You also should be able to limit these ciphers to specific source IPs or users. I haven't tested this, but keep in mind to add all involved systems including backup proxies. Don't forget to restart sshd after editing the configuration)

Full Log to please people using forum search:

Code: Select all

Error        An established connection was aborted by the server. (Veeam.Backup.Common.SSHNegotiationException)
Error           bei Veeam.Backup.SSH.RenciLib.CSshRenciConnectionImpl.Connect()
Error           bei Veeam.Backup.SSH.CSshConnection.CreateConnectionImpl(CSshConnectionSpec connSpec)
Error           bei Veeam.Backup.SSH.CSshConnection.CreateConnection(CSshConnectionSpec connSpec)
Error           bei Veeam.Backup.SSH.CSshConnection.InternalCreateCachedConnection(CSshConnectionSpec connSpec)
Error           bei Veeam.Backup.SSH.CSshConnection..ctor(CSshConnectionSpec spec, ISshConfig sshCore, Boolean useCache, LogLevels logLevel)
Error           bei Veeam.Backup.Core.SSshConnection.Create(String srvName, IPAddress[] serverIPs, CDBSshCreds sshCreds, CCredentials creds, ISSHFingerprintChecker fingerprintChecker, Boolean useCache, Boolean checkSshCredentials, Guid jobSessionId, ISshConfig sshConfig)
Error           bei Veeam.Backup.Core.SSshConnection.Create(String srvName, CDBSshCreds sshCreds, IPAddress[] serverIPs, Boolean useCache, Guid jobSessionId)
Error           bei Veeam.Backup.Core.SSshConnection.Create(CDBHost host, Boolean useCache, Guid jobSessionId)
Error           bei Veeam.Backup.Core.SSshConnectionFactory.GetConnection(CDBHost host, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CSshFileCommander..ctor(CDBHost host, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CLinuxFileCommander.Create(CDBHost host, Guid sessionId)
Error           bei Veeam.Backup.Core.CLocalFileCommanderInstanceCreator.GetLinuxFileCommander(CDBHost host, Guid sessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetCommander(CHost host, EProtocol protocol, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetFileCommanderWithoutCreds(IBackupRepository repository, Boolean bDistributed, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetCommanderInternal(IBackupRepository repository, Boolean bDistributed, Boolean setCreds, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetDistributedCommander(IBackupRepository repository, Boolean setCreds, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CBackupRepositoryAccessorImpl.InitFileCommander()
Error           bei System.Lazy`1.CreateValue()
Error           bei System.Lazy`1.LazyInitValue()
Error           bei Veeam.Backup.Core.CBackupRepositoryEx.GetSrcBackupPath(String[] srcBackupPathParts)
Error           bei Veeam.Backup.Core.CBackupRepositoryEx.PrepareBackup(CBackupJob job, Boolean createFolders, Boolean isEncryptionEnabled, DateTime creationTime, CBackup parentBackup, Boolean useHardSymbolFiltrationForMeta)
Error           bei Veeam.Backup.Core.CBackupJobTarget..ctor(CBackupJob backupJob, Mode mode, CBackupSession jobSession, IXmlLogger xmlLogger, CRepositoryAccessor repositoryAccessor, IStopSessionSync sessionControl, ETargetAgentSharingMode agentSharingMode, IBackupMetaUpdater metaUpdater, IBackupTargetBehavior behavior, CBackup parentBackup, CBackupJob parentJob, String childJobObjectName, CBackup existedBackup)
Error           bei Veeam.Backup.Core.CViBackupJobPerformer.CreateJobTarget(CRepositoryAccessor repositoryAccessor)
Error           bei Veeam.Backup.Core.CViBackupJobPerformer.Perform()
Error        --- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
Error           bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
Error           bei Veeam.Backup.Common.SExceptionExtensions.Rethrow(Exception exception)
Error           bei Veeam.Backup.Core.CViBackupJobPerformer.Perform()
Error        An established connection was aborted by the server. (Veeam.Backup.Common.SSHNegotiationException)
Error           bei Veeam.Backup.SSH.RenciLib.CSshRenciConnectionImpl.Connect()
Error           bei Veeam.Backup.SSH.CSshConnection.CreateConnectionImpl(CSshConnectionSpec connSpec)
Error           bei Veeam.Backup.SSH.CSshConnection.CreateConnection(CSshConnectionSpec connSpec)
Error           bei Veeam.Backup.SSH.CSshConnection.InternalCreateCachedConnection(CSshConnectionSpec connSpec)
Error           bei Veeam.Backup.SSH.CSshConnection..ctor(CSshConnectionSpec spec, ISshConfig sshCore, Boolean useCache, LogLevels logLevel)
Error           bei Veeam.Backup.Core.SSshConnection.Create(String srvName, IPAddress[] serverIPs, CDBSshCreds sshCreds, CCredentials creds, ISSHFingerprintChecker fingerprintChecker, Boolean useCache, Boolean checkSshCredentials, Guid jobSessionId, ISshConfig sshConfig)
Error           bei Veeam.Backup.Core.SSshConnection.Create(String srvName, CDBSshCreds sshCreds, IPAddress[] serverIPs, Boolean useCache, Guid jobSessionId)
Error           bei Veeam.Backup.Core.SSshConnection.Create(CDBHost host, Boolean useCache, Guid jobSessionId)
Error           bei Veeam.Backup.Core.SSshConnectionFactory.GetConnection(CDBHost host, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CSshFileCommander..ctor(CDBHost host, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CLinuxFileCommander.Create(CDBHost host, Guid sessionId)
Error           bei Veeam.Backup.Core.CLocalFileCommanderInstanceCreator.GetLinuxFileCommander(CDBHost host, Guid sessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetCommander(CHost host, EProtocol protocol, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetFileCommanderWithoutCreds(IBackupRepository repository, Boolean bDistributed, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetCommanderInternal(IBackupRepository repository, Boolean bDistributed, Boolean setCreds, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CInitializableFileCommanderFactory.GetDistributedCommander(IBackupRepository repository, Boolean setCreds, Guid jobSessionId)
Error           bei Veeam.Backup.Core.CBackupRepositoryAccessorImpl.InitFileCommander()
Error           bei System.Lazy`1.CreateValue()
Error           bei System.Lazy`1.LazyInitValue()
Error           bei Veeam.Backup.Core.CBackupRepositoryEx.GetSrcBackupPath(String[] srcBackupPathParts)
Error           bei Veeam.Backup.Core.CBackupRepositoryEx.PrepareBackup(CBackupJob job, Boolean createFolders, Boolean isEncryptionEnabled, DateTime creationTime, CBackup parentBackup, Boolean useHardSymbolFiltrationForMeta)
Error           bei Veeam.Backup.Core.CBackupJobTarget..ctor(CBackupJob backupJob, Mode mode, CBackupSession jobSession, IXmlLogger xmlLogger, CRepositoryAccessor repositoryAccessor, IStopSessionSync sessionControl, ETargetAgentSharingMode agentSharingMode, IBackupMetaUpdater metaUpdater, IBackupTargetBehavior behavior, CBackup parentBackup, CBackupJob parentJob, String childJobObjectName, CBackup existedBackup)
Error           bei Veeam.Backup.Core.CViBackupJobPerformer.CreateJobTarget(CRepositoryAccessor repositoryAccessor)
Error           bei Veeam.Backup.Core.CViBackupJobPerformer.Perform()
Error        --- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
Error           bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
Error           bei Veeam.Backup.Common.SExceptionExtensions.Rethrow(Exception exception)
Error           bei Veeam.Backup.Core.CViBackupJobPerformer.Perform()
Top
HannesK
Product Manager
Posts: 14839
Liked: 3085 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:
Contact HannesK

Re: Info: Veeam can not connect to OpenSSH >=8.8

Post by HannesK » 1 person likes this post

Hello,
did you try 11a already? That should solve that.
Elliptic curve cryptography: in addition to data encryption, elliptic curve based keys are now supported for registering Linux servers with Veeam Backup & Replication using the SSH public key authentication method.
Best regards,
Hannes
Top
Post Reply

Return to “Veeam Backup & Replication”



Who is online

Users browsing this forum: Bing [Bot], Ivan239, Semrush [Bot] and 232 guests