SSP Backup & Restore Fails – SFTP Authentication Errors
search cancel

SSP Backup & Restore Fails – SFTP Authentication Errors

book

Article ID: 395284

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Backup configuration on SSP or SSP-I may fail with errors related to establishing an SFTP connection.

Common error messages:

Case 1:

Failed to create SFTP client. Error: error creating sftp connection to server.
sftp: sftpConnect: ssh: handshake failed:
ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

On the SFTP server, /var/log/secure may show:

Connection closed by authenticating user backupadmin ... [preauth]
error: kex_exchange_identification: Connection closed by remote host

Case 2:

Failed to create SFTP client. Error: error creating sftp connection to server.
Error: sftp: sftpConnect: ssh: handshake failed: ssh: host key mismatch

Environment

 

  • Security Services Platform (SSP)

  • Version: 5.0

 

 

Cause

There are two common causes for SFTP backup failures:

  1. User Key Authentication Issue

    • The SFTP user account (e.g., backupadmin) did not have a valid .ssh directory or authorized_keys file in its home directory.

    • Without this, SSP cannot authenticate using the configured public key.

  2. Host Key Mismatch

    • The wrong public key was provided in SSP during backup configuration.

    • Instead of the SFTP host’s SSH key (e.g., /etc/ssh/ssh_host_ecdsa_key.pub), a user’s public key (e.g., /home/<user>/.ssh/id_rsa.pub) was mistakenly used.

    • SSP requires the server’s host key for establishing the connection, not the client user’s key.

Resolution

Case 1: User .ssh Directory Missing

  1. SSH into the SFTP server.

  2. Verify the backup user exists and has a home directory:

    ls -ld /home/backupadmin

  3. Switch to the backup user:

    sudo su - backupadmin

  4. Create the .ssh directory:

    mkdir /home/backupadmin/.ssh
chmod 700 /home/backupadmin/.ssh

  5. Add the SSP public key to authorized_keys:

    echo "<ssp-public-key>" >> /home/backupadmin/.ssh/authorized_keys
chmod 600 /home/backupadmin/.ssh/authorized_keys

  6. Retry the backup configuration. 

 

Case 2: Host Key Mismatch

  1. Connect to the SFTP server and navigate to the SSH configuration directory:

    cd /etc/ssh

  2. Identify the correct host key file (e.g., ssh_host_ecdsa_key.pub).

  3. Copy the contents of the host public key file.

  4. In the SSP Backup & Restore configuration, replace the incorrect key with the correct host public key.

  5. Save and retry the backup configuration.

Once the correct host key is used, SSP can successfully establish an SFTP connection and complete backup configuration.

Additional Information

Powered by Wolken Software