Linux Debian 8 - SSH Connection

[dahuafschmied]

good moring,

for all of you using debian 8 who want to use SSH. (Case #00899407)
veeam is not supporting new/actual ciphers so you have to change the default settings of ssh server.

add at this at the end of /etc/ssh/sshd_config and restart ssh service:

Code: Select all

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

[Vitaliy S.]

Thanks for sharing this with the community! Much appreciated.

[dahuafschmied]

now with update 3 you can delete the Chipers line. its fixed.
but the Key Exchange is still stuck in the 90s.

[edv@rubner.com]

Hi,

Thanks dahuafschmied.

That's right. After installing Update 3, only the following entry must be created:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

After that restart SSH-service.

When is fixed there? After each update of Linux, the entry must be re-create!

Thanks
Michael

[dahuafschmied]

From the V9 whats new:

Linux
• SSH client update. Added support for modern key exchange (KEX) protocols and ciphers into the SSH client. Legacy SSH client has been left for compatibility with storage devices based on older Linux versions, and jobs will automatically failover to a legacy client failing to connect when using a modern protocol and/or cipher

just tested it on a fresh debian v8:

Code: Select all

<18> Warning  Failed to create SSH connection to host: 'xxxx', port: 22, user: 'root', elevation to root: 'no', autoSudo: no, auth type: 'PublicKey', IPs: [x.x.x.x].. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Warning  Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Info     Creating Renci SSH connection (unknown protocol)

[dahuafschmied]

after adding the KexAlgorithms in ssh config it works again. but with Granados SSH.

it seems the Renci SSH has a problem reading the key file stored in veeam config.
perhaps this helps:
http://www.jokecamp.com/blog/connecting ... g-ssh-net/


forgot a line in log file:

Code: Select all

<18> Warning  Failed to create SSH connection to host: 'xxxx', port: 22, user: 'root', elevation to root: 'no', autoSudo: no, auth type: 'PublicKey', IPs: [x.x.x.x].. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Warning  Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Info     Creating Renci SSH connection (unknown protocol)
<18> Error    Invalid private key file.   bei Veeam.Backup.SSH.RenciLib.CSshRenciConnectionImpl..ctor(CSshConnectionSpec connSpec)

[lp@albersdruck.de]

Concerning this:

Should'nt the error message be more fitting than "Invalid private key file." if something goes wrong with authenticating/loggin in?
If the ssh-server can produce a good error message (Apr 20 12:43:33 sshd[4929]: fatal: Unable to negotiate a key exchange method [preauth])
, why can't Veeam?

Kind regards,
Lars

[jgard]

Although my current workaround was to downgrade back to 14.04LTS. I eventually would like to upgrade to Ubuntu 16.04LTS.

The issue I am facing is adding the latest ubuntu server as a repo. I keep getting an error message stating "An establish connection was aborted by the server" when trying to add it within the veeam console. I've checked several settings and permissions, but have not been able to resolve this. I was originally running 14.04LTS and never had issues. It wasn't until I upgrade to the latest. I am able to establish an SSH connection via putty. I've tried opening up several ports to just verify, but have not had any luck.
Case#: 01802705

Any recommendations?

[PTide]

Hi,

That's a known issue and is planned to be fixed in Update 2. You might want to replace Renci.SshNet.dll which is located at Program Files/Veeam/Backup and Replication/Backup folder with a newer one manually. Just copy your old library file somewhere, replace it with a new one and restart Veeam service. looking forward to hear from you how it works.

Thanks

[jgard]

Where would I get a new "Renci.SshNet.dll"? Will it automatically recreate it when I remove it from the directory?

[dellock6]

The link that Pavel posted before is to the new dll, let me copy it here again:
https://sshnet.codeplex.com/downloads/get/944155

[jgard]

Whoops. I missed the first link.

It's working!! Thank you guys. This has been driving me crazy.

[captainflannel]

Anyone have a chance to see if v9 update2 resolves the need to make the changes for MACs and Ciphers in SSHD_CONFIG ?

[veremin]

The issue is fixed in 9.5. For now, please stick to the hot fix mentioned by Pavel. Thanks.

[nlaurino]

The issue is still present in VEEAM Backup and Replication 9.5 w/SP2 We have two new Debian 8 machines that are showing this error when trying to configure the backups:

Warning Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange

If there is a fix, I would like to know about it. These servers will be running our main ERP system for our company, and I need to get a backup schedule in place ASAP.

Thanks for any help.

[PTide]

Hi,

Please contact our support team on that matter and post your case ID.

Thank you

[Gostev]

The issue is still present in VEEAM Backup and Replication 9.5 w/SP2 We have two new Debian 8 machines that are showing this error when trying to configure the backups:
Warning Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange

This is a different issue then, as we do support this cipher in 9.5U2. Indeed, just as the error says, the legacy Granados SSH client still does not support diffie-hellman-group1-sha1 - which is why we automatically failover to using Renci SSH client that does support one (Granados SSH client was left in the product as the first option for compatibility with really old Linux systems). So, whatever issue you're experiencing is not the same that started the thread (lack of support for modern ciphers).

[PTide]

nlaurino,

I've managed to test ssh connection with Debian 8 and VBR U2 and it works without any issues - adding linux host into console works, backup jobs work, guest processing works. It seems that there might be some misconfiguration on the ssh server side (Debian), because the error message clearly states that it's the server does not support diffie-hellman-group1-sha1. Have you tried to add these lines into the /etc/ssh/sshd_config file:

Code: Select all

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

regen the keys:

Code: Select all

ssh-keygen -A

and restart sshd?

Also, what is the version of your ssh server?

Thanks