What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Is it possible to update KEX algorithms used by the SFTP sensor?

Votes:

1

Hello, Due to some known vulnerabilities with various weak ciphers and algorithms, we have removed them from our FTP software today, but this had the side effect of breaking our SFTP sensors. Are you perhaps using an older OpenSSH library than our FTP software? Ours uses OpenSSH 8.1.0.0. Do you have any way for us to add more cipher options to this sensor? For now, we have had to re-enable a weak KEX cipher to make the sensor work again, but this is not a long term fix. I find it troubling that you support older, weak Diffie-Hellman KEX algorithms, but not newer, secure ones. It might give someone the impression that your company doesn't care about security. =)

Details:

Failed to connect. Please check the SSH log of the target device or try the Compatibility Mode of the sensor's SSH engine and consider updating the target system's operating system. Reason: ssh_connect failed (-1)kex error : no match for method kex algos: server [ diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256], client [ [email protected], ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1]

We are using PRTG 20.3.61.1649+ I didn't see anything in the patch notes about updated KEX algorithms, so I didn't update yet. Let me know if there is an undocumented change on this perhaps.

kex prtg sftp

Created on Nov 18, 2020 11:00:41 PM



5 Replies

Votes:

0

Hi there,

Please let me know which certain vulnerabilities are covered with your new ciphers? In this way, I can reach out to our developers to receive more information.

Created on Nov 19, 2020 11:17:34 AM by Moritz Heller [Paessler Support]



Votes:

0

Hello, I'm not sure I understand your response. Anything with SHA1 is regarded as insecure. PRTG currently only seems to have these KEX algorithms available: [email protected], ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1

Our FTP software from Globalscape (EFT) does not have support for these two: [email protected], ecdh-sha2-nistp256,

So, after we disabled the two SHA1 KEX algorithms, the SFTP sensor fails, because there is no common KEX algorithm between the client and server.

What I am asking is if PRTG can ADD the more secure versions of the diffie-hellman KEX algorithms: diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group-exchange-sha256

Created on Nov 19, 2020 5:25:00 PM



Votes:

0

Hi Peter,

I forwarded your question to our development an received additional feedback. At the moment, we don't use the latest version of openssh. Therefore, the error occurs. In addition, we are not able to enable another cipher set for this Sensor, I'm sorry.

Created on Nov 23, 2020 9:32:29 AM by Moritz Heller [Paessler Support]



Votes:

0

Hi Moritz,

when do you plan to update the kex algos for this sensor?

We want to monitor the connectivity to a SFTP server of DHL/Deutsche Post (ebibkom.deutschepost.de). It seems that PRTG is not compatible:

Reason: ssh_connect failed (-1)kex error : no match for method kex algos: server [[email protected],diffie-hellman-group-exchange-sha256], client [[email protected],ecdh-sha2-nistp256,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1]

Since this is not our server, we can not change its settings.

Created on Nov 8, 2021 11:16:20 AM



Votes:

0

Hi there,

I asked the development for an update and they are currently checking when and how this can be implemented. Please note that this issue is currently not high prioritized and therefore, the process takes longer than usual. However, we are aware if this feature request and are working on it.

Created on Nov 10, 2021 8:20:06 AM by Moritz Heller [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.