https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IyMDYxIiwiaGFzaCI6ImMyZjA1NmQ4LTg5ZTktNDQyNC04ZGRmLTRhZjMzMjMwZDc4MyJ9
1-800-691-1991 | 9am - 8pm ET
EN

Server does not support diffie-hellman-group1-sha1 for keyexchange

Challenge

When attempting to add a managed Linux server, you may receive one of the errors below.

Failed to negotiate key exchange algorithm
Client encryption algorithm not found
Server HMAC algorithm not found

Cause

When Veeam connects to a Linux target, we require Diffie-Helman key exchange capabilities for successful secure connections and to reduce the possibility that a password will not be intercepted when authenticating to the storage. In some Linux distributions, /etc/ssh/sshd_conf is missing the KexAlgorithms and Cipher fields to describe which methods are supported by the SSH daemon.

Solution

Review the configuration of your /etc/ssh/sshd_config file and verify at least one of the Ciphers, KexAlgorithms, and MACs listed below are present

Supported ciphers:

3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc, arcfour, twofish

Supported Key Exchange algorithms:

diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1


Supported HMACs

hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96, hmac-ripemd160, hmac-ripemd160@openssh.com

See the man page for your sshd_config file and/or query for the supported ciphers, key exchange algorithms and keyed-hash message authentication codes using the following command:

sshd -T

If needed, modify the sshd_config file. Then, to generate the newly added keys, run

ssh-keygen -A

and restart the sshd service on the machine (reboot works fine, too).

More information

Some systems offer an option in the GUI to disable or re-enable SSH logon, but these do not always actually restart the daemon. Typically, it is best to restart the service using the command

service ssh restart

or your distribution’s equivalent.

KB ID:
2061
Product:
Veeam Backup & Replication, Veeam Cloud Connect
Version:
Any
Published:
2015-08-28
Last Modified:
2020-11-16
Please rate how helpful this article was to you:
5 out of 5 based on 1 ratings
Thank you for helping us improve!
An error occurred during voting. Please try again later.

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.
Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text

Knowledge base content request
By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.

ty icon

Thank you!

We have received your request and our team will reach out to you shortly.

OK

error icon

Oops! Something went wrong.

Please go back try again later.