Hi

When will there be a server side fix for these SSH sensor's ?

Ie at what point will the underlying component be updated to support CTR counters

Thanks

Hello, we are sorry that we cannot answer this question, we still wait for this update. Best Regards

Any progress on resolving this issue? We're still seeing these diffie-hellman-group1-sha1 key exchange errors for ssh sensors as of PRTG 15.1.15.1864+. Thanks, Ivan

Andrew, I'm sorry this has not been changed, nor are the plans to change it in the near future. Sorry.

We now also are having problems with SSH sensors. We have upgraded our SFTP server to openSSH 6.9 and openssh is now disabling older cipers and protocols at built time. Hopefully Paessler will be supporting the latest ciphers at some point.

They old ciphers are being disabled because of security issues.

I have disabled these sensors for now (disk space)

it is nearly two years since the topic has been opened... not a good performance at paessler, or?

Fritz, we still have this on our list, and also its security implications on our mind. It is a rather complex task though, as it will mean a complete re-write of our SSH Sensor engine. So nothing to take lightly. Please bear with us.
We do see the point and value in this request of course, have to decide how we 'use' the limited developer time we have, to implement features which benefit all or at least most of our PRTG users (also with all points to this SSH discussion in mind).

Not a good statement from PRTG, as we are getting dinged on audits and had to disable the weak ciphers... and really do need to use ssh monitors due to inflexibility of built in PRTG monitors. Our management is now making us consider a different vendor's monitor due to this issue.

Hi, as mentioned above, we are aware of the incompatibility of the SSH sensors and are working on an update. This requires extensive changes in the source code, so I'm afraid that I cannot give you an exact date for the release yet. Please bear with us.

Best regards, Felix

Hi Our monitoring solution also depends on SSH sensors, so I most urgently would ask you to prioritize rewriting the SSH engine. Thanks, Jon

It's in the works already :)

Any news on this fix for the SSH handshake and using the latest ciphers

The latest version already should support the symmetric ciphers AES192 and AES256. What version are you currently running?

Im on version 15.4.21.5216 ... im just running an update ;-)

That version already should support it... Did you try to recreate the sensors?

Ok I have updated to version 15.4.21.5482 deleted old sensors and recreated new ones for Memory, load average and Disk. All SSH based and they still fail with authentication errors

I can log in ok via SSH onto the server using the credentials using an SSH client.

I will check which cyphers are in our corporate build

Alright, let me know :) The SSH framework also just got revamped (but that hasn't reached the stable or preview builds yet); this might also be helpful once it's released.

Where are we up to with this?

We have been using SSH sensors to monitor HP MSA and P2000 SANs due to their lack of useful SNMP and PRTG not supporting SMI-S however as of the latest firmware for these devices, it appears they are no longer support CBC mode and we are getting "The negotiation of encryption algorithm is failed" errors on all of the sensors.

I appreciate you are working on it as noted. I was hoping we would be closer to an ETA given the most recent comments regarding the SSH framework revamp.

The new SSH framework is (should be) currently in the Canary channel of PRTG. Can you set up a test instance of PRTG on a VM, set the update channel to canary and test it with your MSA?

Is your P2000 running the latest available firmware?

""Another alternative is to add a weaker encryption system to ssh_config again.""

Based on a possible temporary solution. Someone could show me how to modify the ssh config, which parameters should perform so you can comunicarser with ssh sensor prtg.

Open up /etc/sshd/sshd_config with an editor of your choice and search for the line starting with Ciphers. Make it look like the following line:

Ciphers aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Restart your SSHd service and PRTG should be able to connect again.

I have updated my Mac Mini to "El Capitan" and since then I got errors on my PRTG dahsboard like "the negotitation of encryption algorithm is failed". It runs PRTG Network monitor 16.1.211422. The SSH configuration on Mac OSX is stored in /private/etc/sshd_config . I edited "/private/etc/ssh/sshd-config" and added the aforementioned lines to sshd_config as they were not there yet, en restarted sshd . To stop and start sshd:

 sudo launchctl stop com.openssh.sshd
 sudo launchctl start com.openssh.sshd

It works!

Thanks for sharing, Paul! :)

In response to Stephan Linke [Paessler Support].

Sorry for not replying sooner. Our MSA is at current firmware GL220R005(A).

We have PRTG build 16.2.24.3686 running and with the new SSH libraries we no longer get encryption errors.

However, what we are now seeing is SSH time outs such as "Timed out while waiting for SANs response. It might help to restart the SSH controller. (code: PE241)".

We know SSH is working because we can SSH to the SAN from the same server as the PRTG Probe without any issues.

The problem is known and we're working on a fix :)

Any News on this? also getting "Timed out while waiting for SANs response. It might help to restart the SSH controller. (code: PE241)"

As of right now, the SAN still is not working properly with our SSH sensors and we'll need more time to debug this. Sorry for the inconvenience!

Latest build 16.2.24.4274 appears to have fixed this. Thanks!

Dear All,

my apologies for bringing up again this apparently long retired subject.

I wonder as to the status of support for "diffie-hellman-group-exchange-sha256" in the ssh framework von PRTG v18.4.47.* as I have a proprietary device, forcing me to use said cipher algorithm.

Any help would be greatly appreciated.

Many thanks in advance and kind regards

Christopher

You should be able to use the compatibility mode in the Linux Credential settings of the device (under "SSH Connection"). Let me know if it worked :)

Dear Stephan,

Many thanks for your reply.

When using compatibility mode I get

"invalid key exchange algorithm"

For the avoidance of doubt, I presume the sensor needs to be deployed vis-á-vis the controller directly and not the service processor?

I'm not sure I understand the last sentence correctly :( Would something like a reverse SSH Proxy work by any chance? Something like outlined here.

PRTGapi | Feature Requests | WMI Issues | SNMP Issues

Kind regards,
Stephan Linke, Tech Support Team