• During configuration of SDDC manager backup from VCF Operations, fails with below error:

  "Invalid parameter: Validation failed for directory path <Folder_name> on server <SFTP_SERVER_IP_ADDRESS>. Make sure backup directory is intact and sftp server has write permissions on backup path"
  

• /var/log/vmware/vcf/operationsmanager/operationsmanager.log reports below errors:

  YYYY-MM-DDTHH:MM:SS.175+0000 DEBUG [vcf_om,##############,####] [c.v.e.s.c.util.LocalProcessService,http-nio-127.0.0.1-7300-exec-4] Error Output: Unable to negotiate with <SFTP_SERVER_IP_ADDRESS> port 22: no matching host key type found. Their offer: ssh-rsa,ecdsa-sha2-nistp256
  YYYY-MM-DDTHH:MM:SS.175+0000 DEBUG [vcf_om,##############,####] [c.v.evo.sddc.common.util.SshKeyScan,http-nio-127.0.0.1-7300-exec-4] Host <SFTP_SERVER_IP_ADDRESS> doesn't have any ssh keys using rsa-sha2-512,rsa-sha2-256 algorithms
  
  YYYY-MM-DDTHH:MM:SS.295+0000 ERROR [vcf_om,##############,####] [c.v.evo.sddc.common.util.SshUtil,http-nio-127.0.0.1-7300-exec-4] Unable to create jsch CLI session:
  com.jcraft.jsch.JSchException: verify: false

• SSH connection to the SFTP Backup server fails but sshd status shows active:

  systemctl status sshd
  
  Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
  Active: active (running)
  

   

• /var/log/messages on SFTP server gives below error:

  sshd[####]: Disconected from <SDDC_MANAGER_IP> port 42776 [preauth] error: Received disconnect from <SDDC_MANAGER_IP> port 42776:3: com.jcraft.jsch.JSchException: reject Hostkey: <SDDC_MANAGER_IP>
  Connection closed by invalid user #######-####-####-####-########## <SDDC_MANAGER_IP> port 42762 [preauth]

VMware SDDC Manager 9.x
VMware Cloud Foundation 9.x

SFTP backup server is offering  ssh-rsa,ecdsa-sha2-nistp256 however, SDDC manager looks for rsa-sha2-512,rsa-sha2-256 algorithms to connect to SFTP backup server.
The secure handshake between the SDDC Manager and the SFTP backup server fails because the backup server does not support or advertise the rsa-sha2-512 or rsa-sha2-256 host key algorithms. While the server may offer legacy ssh-rsa (SHA-1), the SDDC Manager’s hardened security policy mandates the use of modern SHA-2 signatures, leading to an immediate termination of the connection attempt when a compatible algorithm is not found.

To resolve this, you must update the SSH daemon configuration on the external SFTP backup server to align with VCF security requirements.

Requirements: The SFTP server must enable at least one of the following pairs: rsa-sha2-512 or rsa-sha2-256 AND one of ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521.

Steps:

1. Log into the external SFTP backup server as a user with administrative (root) privileges.
2. Open the SSH configuration file for editing: vi /etc/ssh/sshd_config.
3. Locate or add the HostKeyAlgorithms directive. Ensure it explicitly includes the required modern algorithms. Example configuration:

   HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

4. This command will make changes to your system. Review it carefully before running: 

   systemctl restart sshd

5. Return to the SDDC Manager UI and re-run the backup configuration wizard to validate the connection.

Requirement to enable Host Key algorithms: At least one of rsa-sha2-512 or rsa-sha2-256 and one of ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521 on sftp server is documented in below configuration guide:

Reconfigure SFTP Backups for SDDC Manager and NSX Manager

For reference, Below related KBs address similar errors:

Backup configuration for SDDC manager is failing - "Invalid parameter: validation failed for directory path </path/to/directory> on server <IP_or_FQDN>"

SDDC backup fails with this error "Could not retrieve the fingerprint of the SFTP server."

SDDC Manager Backup configuration failed with error - Invalid parameter: Validation failed for directory path