Comprehensive data protection for all workloads
Post Reply
dahuafschmied
Service Provider
Posts: 9
Liked: 4 times
Joined: Dec 22, 2013 6:04 am
Full Name: Markus Flattinger
Contact:

Linux Debian 8 - SSH Connection

Post by dahuafschmied » 3 people like this post

good moring,

for all of you using debian 8 who want to use SSH. (Case #00899407)
veeam is not supporting new/actual ciphers so you have to change the default settings of ssh server.

add at this at the end of /etc/ssh/sshd_config and restart ssh service:

Code: Select all

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Vitaliy S.
VP, Product Management
Posts: 27343
Liked: 2785 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Linux Debian 8 - SSH Connection

Post by Vitaliy S. »

Thanks for sharing this with the community! Much appreciated.
dahuafschmied
Service Provider
Posts: 9
Liked: 4 times
Joined: Dec 22, 2013 6:04 am
Full Name: Markus Flattinger
Contact:

Re: Linux Debian 8 - SSH Connection

Post by dahuafschmied » 1 person likes this post

now with update 3 you can delete the Chipers line. its fixed.
but the Key Exchange is still stuck in the 90s. ;-)
edv@rubner.com
Influencer
Posts: 17
Liked: 5 times
Joined: Jun 26, 2015 1:35 pm
Full Name: Rubner EDV
Contact:

Re: Linux Debian 8 - SSH Connection

Post by edv@rubner.com »

Hi,

Thanks dahuafschmied.

That's right. After installing Update 3, only the following entry must be created:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

After that restart SSH-service.

When is fixed there? After each update of Linux, the entry must be re-create!

Thanks
Michael
dahuafschmied
Service Provider
Posts: 9
Liked: 4 times
Joined: Dec 22, 2013 6:04 am
Full Name: Markus Flattinger
Contact:

Re: Linux Debian 8 - SSH Connection

Post by dahuafschmied »

From the V9 whats new:
Linux
• SSH client update. Added support for modern key exchange (KEX) protocols and ciphers into the SSH client. Legacy SSH client has been left for compatibility with storage devices based on older Linux versions, and jobs will automatically failover to a legacy client failing to connect when using a modern protocol and/or cipher
just tested it on a fresh debian v8:

Code: Select all

<18> Warning  Failed to create SSH connection to host: 'xxxx', port: 22, user: 'root', elevation to root: 'no', autoSudo: no, auth type: 'PublicKey', IPs: [x.x.x.x].. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Warning  Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Info     Creating Renci SSH connection (unknown protocol)
:evil: :?:
dahuafschmied
Service Provider
Posts: 9
Liked: 4 times
Joined: Dec 22, 2013 6:04 am
Full Name: Markus Flattinger
Contact:

Re: Linux Debian 8 - SSH Connection

Post by dahuafschmied »

after adding the KexAlgorithms in ssh config it works again. but with Granados SSH.

it seems the Renci SSH has a problem reading the key file stored in veeam config.
perhaps this helps:
http://www.jokecamp.com/blog/connecting ... g-ssh-net/


forgot a line in log file: :-)

Code: Select all

<18> Warning  Failed to create SSH connection to host: 'xxxx', port: 22, user: 'root', elevation to root: 'no', autoSudo: no, auth type: 'PublicKey', IPs: [x.x.x.x].. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Warning  Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange
<18> Info     Creating Renci SSH connection (unknown protocol)
<18> Error    Invalid private key file.   bei Veeam.Backup.SSH.RenciLib.CSshRenciConnectionImpl..ctor(CSshConnectionSpec connSpec)
lp@albersdruck.de
Enthusiast
Posts: 82
Liked: 33 times
Joined: Mar 25, 2013 7:37 pm
Full Name: Lars Pisanec
Contact:

Re: Linux Debian 8 - SSH Connection

Post by lp@albersdruck.de »

Concerning this:

Should'nt the error message be more fitting than "Invalid private key file." if something goes wrong with authenticating/loggin in?
If the ssh-server can produce a good error message (Apr 20 12:43:33 sshd[4929]: fatal: Unable to negotiate a key exchange method [preauth])
, why can't Veeam?

Kind regards,
Lars
jgard
Novice
Posts: 3
Liked: 1 time
Joined: May 24, 2016 7:21 pm
Contact:

[MERGED]: Adding Ubuntu Server 16.04LTS as Repo

Post by jgard »

Although my current workaround was to downgrade back to 14.04LTS. I eventually would like to upgrade to Ubuntu 16.04LTS.

The issue I am facing is adding the latest ubuntu server as a repo. I keep getting an error message stating "An establish connection was aborted by the server" when trying to add it within the veeam console. I've checked several settings and permissions, but have not been able to resolve this. I was originally running 14.04LTS and never had issues. It wasn't until I upgrade to the latest. I am able to establish an SSH connection via putty. I've tried opening up several ports to just verify, but have not had any luck.
Case#: 01802705

Any recommendations?

Image
PTide
Product Manager
Posts: 6550
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Linux Debian 8 - SSH Connection

Post by PTide » 1 person likes this post

Hi,

That's a known issue and is planned to be fixed in Update 2. You might want to replace Renci.SshNet.dll which is located at Program Files/Veeam/Backup and Replication/Backup folder with a newer one manually. Just copy your old library file somewhere, replace it with a new one and restart Veeam service. looking forward to hear from you how it works.

Thanks
jgard
Novice
Posts: 3
Liked: 1 time
Joined: May 24, 2016 7:21 pm
Contact:

Re: Linux Debian 8 - SSH Connection

Post by jgard »

Where would I get a new "Renci.SshNet.dll"? Will it automatically recreate it when I remove it from the directory?
dellock6
VeeaMVP
Posts: 6163
Liked: 1971 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Linux Debian 8 - SSH Connection

Post by dellock6 »

The link that Pavel posted before is to the new dll, let me copy it here again:
https://sshnet.codeplex.com/downloads/get/944155
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
jgard
Novice
Posts: 3
Liked: 1 time
Joined: May 24, 2016 7:21 pm
Contact:

Re: Linux Debian 8 - SSH Connection

Post by jgard » 1 person likes this post

Whoops. I missed the first link.

It's working!! Thank you guys. This has been driving me crazy.
captainflannel
Enthusiast
Posts: 31
Liked: 5 times
Joined: Feb 27, 2012 8:53 pm
Contact:

Re: Linux Debian 8 - SSH Connection

Post by captainflannel »

Anyone have a chance to see if v9 update2 resolves the need to make the changes for MACs and Ciphers in SSHD_CONFIG ?
veremin
Product Manager
Posts: 20360
Liked: 2287 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Linux Debian 8 - SSH Connection

Post by veremin »

The issue is fixed in 9.5. For now, please stick to the hot fix mentioned by Pavel. Thanks.
nlaurino
Influencer
Posts: 15
Liked: 1 time
Joined: Jun 28, 2013 2:46 pm
Full Name: Nick Laurino
Contact:

Re: Linux Debian 8 - SSH Connection

Post by nlaurino »

The issue is still present in VEEAM Backup and Replication 9.5 w/SP2 We have two new Debian 8 machines that are showing this error when trying to configure the backups:

Warning Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange

If there is a fix, I would like to know about it. These servers will be running our main ERP system for our company, and I need to get a backup schedule in place ASAP.

Thanks for any help.
Nick Laurino
PTide
Product Manager
Posts: 6550
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Linux Debian 8 - SSH Connection

Post by PTide »

Hi,

Please contact our support team on that matter and post your case ID.

Thank you
Gostev
Chief Product Officer
Posts: 31748
Liked: 7251 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Linux Debian 8 - SSH Connection

Post by Gostev »

nlaurino wrote:The issue is still present in VEEAM Backup and Replication 9.5 w/SP2 We have two new Debian 8 machines that are showing this error when trying to configure the backups:
Warning Failed to create Granados SSH connection, switch to Renci SSH. Server does not support diffie-hellman-group1-sha1 for keyexchange
This is a different issue then, as we do support this cipher in 9.5U2. Indeed, just as the error says, the legacy Granados SSH client still does not support diffie-hellman-group1-sha1 - which is why we automatically failover to using Renci SSH client that does support one (Granados SSH client was left in the product as the first option for compatibility with really old Linux systems). So, whatever issue you're experiencing is not the same that started the thread (lack of support for modern ciphers).
PTide
Product Manager
Posts: 6550
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Linux Debian 8 - SSH Connection

Post by PTide » 1 person likes this post

nlaurino,

I've managed to test ssh connection with Debian 8 and VBR U2 and it works without any issues - adding linux host into console works, backup jobs work, guest processing works. It seems that there might be some misconfiguration on the ssh server side (Debian), because the error message clearly states that it's the server does not support diffie-hellman-group1-sha1. Have you tried to add these lines into the /etc/ssh/sshd_config file:

Code: Select all

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
regen the keys:

Code: Select all

ssh-keygen -A
and restart sshd?

Also, what is the version of your ssh server?

Thanks
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 2 guests