How to resolve the "no acceptable macs" SSH key exchange failure in Pivotal Greenplum
search cancel

How to resolve the "no acceptable macs" SSH key exchange failure in Pivotal Greenplum

book

Article ID: 295568

calendar_today

Updated On:

Products

VMware Tanzu Greenplum

Issue/Introduction

Symptoms:

When attempting to use the gpssh-exkeys or gpseginstall tools, key exchange fails with the following error and repeatedly requests a password:

Incompatible ssh peer (no acceptable kex algorithm)
Error Message:
[root@master ~]# gpssh-exkeys -f hostfile_exkeys
[STEP 1 of 5] create local ID and authorize on local host
  ... /root/.ssh/id_rsa file exists ... key generation skipped

[STEP 2 of 5] keyscan all hosts and update known_hosts file

[STEP 3 of 5] authorize current user on remote hosts
  ... send to node1
  ***
  *** Enter password for node1:
[ERROR node1] 
Incompatible ssh server (no acceptable macs)
  ***
  *** Enter password for node1:

Environment


Cause

The Greenplum management tool suite uses an older version of the Python Paramiko libraries which do not support newer SSH key exchange algorithms. The key exchange mediated by the Greenplum tools will fail when the older key exchange algorithms are disabled on a server that is Federal Information Processing Standard (FIPS) compliant.

Resolution

This error is caused by missing entries. Add the following entries to the /etc/ssh/sshd_config file on the remote server to resolve this issue: 

  • HMAC-SHA1
  • HMAC-MD5
  • HMAC-SHA1-96
  • HMAC-MD5-96


Powered by Wolken Software