When attempting to configure SFTP backups in **SDDC Manager 9.0** (VMware Cloud Foundation 9.0) using a Linux server as the target, you encounter the following symptoms:

• The SDDC Manager UI displays an error: "Failed to validate ECDSA SSH key support for server". Check that the server is configured with an ECDSA SSH Key.
• Manual verification via ssh-keyscan -t ecdsa <Backup_server_fqdn> from the SDDC Manager command line returns only the hostname but no key string; a key string should be a couple of lines of characters.
• The /var/log/vmware/vcf/operationsmanager/operationsmanager.log file contains:
  • ERROR [vcf_om] [c.v.v.c.f.p.b.r.v.BackupLocationValidator] ERROR_CODE, SSH_CONNECTION_FAILED_IO_ERROR
  • ERROR [vcf_om] Authentication negotiation failed for host: Algorithm negotiation fail

VCF 9.x

By design, VCF versions 9.0 and higher require an ECDSA-based SSH fingerprint for SFTP backup configuration. RSA keys are not supported for fingerprint authentication in this release. Many Linux installations default to RSA key negotiation or may not have ECDSA host keys explicitly enabled in the SSH daemon configuration, leading to a negotiation failure when SDDC Manager attempts to validate the connection.

To resolve this issue, you must ensure the Linux SFTP server is configured to generate and present an ECDSA host key.

1. Generate ECDSA Keys on the Linux Server If the server is missing ECDSA keys, generate them manually:

1. ⚠️ Review this command with your Linux administrator before running it.
               bash > ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key -N

2. Enable ECDSA in sshd_config

1.   Edit /etc/ssh/sshd_config and ensure the following line is present and not commented out:
                HostKey /etc/ssh/ssh_host_ecdsa_key
   
   
2.   Restart the SSH service:
               systemctl restart sshd

3. Verify and Manually Trust the Key in SDDC Manager

1. From the SDDC Manager console, verify the key is now visible:
                ssh-keyscan -t ecdsa <backup_server_fqdn>
   
   
2. If the UI still fails to validate, use the SDDC Manager API to manually register the host key to the known hosts trust store as outlined in SDDC Manager Backup Configuration Failure: "Validation failed for directory path <path> on Ubuntu server <server ip/fqdn>. Please make sure backup directory is intact and sftp server has write permissions on backup path.

• Impact/Risks

  • SFTP backup configuration cannot be completed using RSA-only servers in VCF 9.0.1.
  • Support for RSA-based fingerprint authentication is planned for a future release.
• Related KBs
  • SDDC Manager Backup Configuration Failure: "Validation failed for directory path <path> on Ubuntu server <server ip/fqdn>. Please make sure backup directory is intact and sftp server has write permissions on backup path. 
  • Inability to use RSA keys for NSX SFTP backups