Server does not support diffie-hellman-group1-sha1 for keyexchange

KB ID: 2061
Products: Veeam Backup & Replication;Veeam Cloud Connect
Version: Any
Published:
Last Modified: 2017-03-28

Challenge

When attempting to add a managed Linux server, you may receive one of the errors below.
Failed to negotiate key exchange algorithm
Client encryption algorithm not found
Server HMAC algorithm not found

Cause

When Veeam connects to a Linux target, we require Diffie-Helman key exchange capabilities for successful secure connections and to reduce the possibility that a password will not be intercepted when authenticating to the storage. In some Linux distributions, /etc/ssh/sshd_conf is missing the KexAlgorithms and Cipher fields to describe which methods are supported by the SSH daemon.

Solution

Review the configuration of your /etc/ssh/sshd_config file and verify at least one of the Ciphers, KexAlgorithms, and MACs listed below are present

Supported ciphers
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc, arcfour, and twofish
Supported Key Exchange algorithms
diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Supported HMACs
hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96, hmac-ripemd160, hmac-ripemd160@openssh.com

See the man page for your sshd_config file and/or query for the supported ciphers, key exchange algorithms and keyed-hash message authentication codes using the following command:
sshd -T
If needed, modify the sshd_config file. Then, to generate the newly added keys, run "ssh-keygen -A" and restart the sshd service on the machine (reboot works fine, too).

More Information

Some systems offer an option in the GUI to disable or re-enable SSH logon, but these do not always actually restart the daemon. Typically, it is best to restart the service using the command “service ssh restart” or your distribution’s equivalent.
 
3 / 5 (38 votes cast)

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system