What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

SFTP/SSH : Invalid key exchange algorithm error

Votes:

0

After updating to PRTG v 22.2.76.1705 we are getting a : Invalid key exchange algorithm error in our SSH/SFTP sensor when connecting to Serv-U FTP.

With the SSH sensor in compatibility mode we get the error "Invalid key exchange algorithm" with the default SSH sensor mode, we get the following error

"Failed to connect. Please check the SSH log of the target device or try the Compatibility Mode of the sensor's SSH engine and consider updating the target system's operating system. Reason: ssh_connect failed (-1)kex error : no match for method server host key algo: server [ssh-dss], client [ssh-rsa]"

Is the 22.2.76.1705 version using a new SSH engine? Any advice?

cipher sftp ssh

Created on May 17, 2022 9:17:17 PM

Last change on May 19, 2022 5:30:56 AM by Felix Wiesneth [Paessler Support]



6 Replies

Votes:

0

Hello,

We exactly have the same problem connecting to all our Linux systems over SSH. Tried to fix settings on the Linux systems but couldn't resolve it.

Any workaround? Will open a support ticket soon.

Created on May 24, 2022 7:52:04 AM



Votes:

0

Hello

We updated the SSH library that SSH sensors use to monitor the target devices. The update improves the security of SSH sensors. We now use libssh 0.9.6 with openssl 1.1.1. In addition we follow the security guidelines here: https://www.ssh-audit.com/hardening_guides.html

Created on May 26, 2022 9:25:39 PM by Luis Quesada (Paessler Technical Support)



Votes:

0

Hello there
You are right.
We are trying to broaden our list again a bit, to increase support for customers having problems with their 7+ year old systems. Our PaeLibSSH does have a very restrictive list of supported algorithms.

We are investigating the possibility to increase our list. but this is just being discussed as of right now, hence I don't have an ETA.

Created on Jun 2, 2022 10:31:39 PM by Luis Quesada (Paessler Technical Support)



Votes:

0

Thank you for the update. Do you have a simple, concise list of supported algorithms in the new SSH engine AND a separate consise list for the compatability mode? ( edit.. added request for compatibilty mode ciphers/keys )

This would help see if our existing software has an overlapping algorithms and would be clear information to provide to other vendors.

Thank you .

Created on Jun 3, 2022 4:18:43 PM

Last change on Jun 9, 2022 6:22:12 AM by Florian Lesage [Paessler Support]



Votes:

1

For anyone looking to support Barracuda CloudGen Firewall with the new SSH restrictions. The firewalls only support DSA and ECDSA SSH host keys. PRTG does not support these SSH host keys anymore. PRTG only supports RSA or ED25519.

You can switch to Compatibility mode in PRTG and modify the SSHD configuration on the firewall. Replace existing lines with: KexAlgorithms +diffie-hellman-group14-sha1 Ciphers +aes256-ctr,aes128-cbc

And restart sshd afterwards: /etc/init.d/sshd restart

Please note if your firewall is attached to a Control Center and you make modifications to the SSH configuration, the changes will be overwritten. Also upgrading the device will overwrite the changes, so the workaround is not ideal at all.

Please PRTG, add the previous SSH options in PRTG compatibility mode. Now, these devices are sort of "in between". We have to lower the SSH security on the devices to have them supported in Compatibility mode.

Created on Jun 6, 2022 6:46:46 AM



Votes:

0

Hello there,

This is currently planned to add more algorithms (including ECDSA) to the list, however there is no clear ETA yet for it I'm afraid. The new algorithms should be added in one of the next two/three versions (v77 excluded) of PRTG.

Note: Here is a KB article where you will find the existing algorithms used: https://kb.paessler.com/en/topic/90689-which-encryption-algorithms-do-prtg-ssh-sensors-support

Regards.

Created on Jun 8, 2022 6:32:24 AM by Florian Lesage [Paessler Support]

Last change on Jun 9, 2022 6:26:54 AM by Florian Lesage [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.