Terminal connection to device fails as Key Exchange Algorithm available/configured on device not supported.
search cancel

Terminal connection to device fails as Key Exchange Algorithm available/configured on device not supported.

book

Article ID: 319860

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

While trying to discover a device /pull config on device/test Credentials of a device with OpenSSH 7.4 or 8.3, later versions; NCM gives error unable to connect to the device. The same device is accessible from NCM server via SSH with same credentials.

Below are the entries in autodisc or commmgr log files:

-----------------------------
Jan 18 11:23:52 :-248285440/#.#.#.##6: Term: Looking up host "#.#.#.#" (IPv4)
Jan 18 11:23:52 :-248285440/#.#.#.##6: Term: Connecting to #.#.#.# port 22
Jan 18 11:23:52 :-248285440/#.#.#.##6: Term: Server version: SSH-2.0-OpenSSH_8.3
Jan 18 11:23:52 :-248285440/#.#.#.##6: Term: We claim version: SSH-2.0-PuTTY_Local:_Jan_15_2019_03:45:56
Jan 18 11:23:52 :-248285440/#.#.#.##6: Term: Using SSH protocol version 2
Jan 18 11:23:52 :-248285440/#.#.#.##6: Term: Couldn't agree a key exchange algorithm (available: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)
-----------------------------
Jan 28 12:32:05 489895680/testCredentials(22344)#6: Term: Connecting to #.#.#.# port 22
Jan 28 12:32:05 489895680/testCredentials(22344)#6: Term: Server version: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7
Jan 28 12:32:05 489895680/testCredentials(22344)#6: Term: We claim version: SSH-2.0-PuTTY_Local:_Jan_15_2019_03:45:56
Jan 28 12:32:05 489895680/testCredentials(22344)#6: Term: Using SSH protocol version 2
Jan 28 12:32:05 489895680/testCredentials(22344)#6: Term: Couldn't agree a key exchange algorithm (available: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)
Jan 28 12:32:05 489895680/testCredentials(22344)#1: ssh_connect(): #.#.#.# - Remote device connection failed; check credentials
-----------------------------

Environment

NCM up to 10.1.13

Resolution

NCM up to 10.1.13 version has putty version 0.68 which does not support Key exchange algorithm diffie-hellman-group14-sha256.

Supported KEX in NCM 10.1.13 via CLI & OpenSSH 6.9 has been validated as supported:

[<USERNAME>@<HOSTNAME> ~]# strings /opt/smarts-ncm/bin/autodiscd | grep diffie-hellman
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group-exchange-sha1


Key exchange algorithm diffie-hellman-group14-sha256 is supported from putty version 0.74.
Upgrade NCM to 24.3.10 which has support for diffie-hellman-group-14-sha256.

KEX available in NCM 24.3.10:

  • diffie-hellman-group1-sha1
  • diffie-hellman-group18-sha512
  • diffie-hellman-group17-sha512
  • diffie-hellman-group16-sha512
  • diffie-hellman-group15-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1

Additional Information



Powered by Wolken Software