This article applies to PRTG Network Monitor 13 through 16.2.23
When trying to monitor SSH sensors, I get the following error message in PRTG: The negotiation of encryption algorithm is failed. What is the reason for this problem? What can I do?
Important note: PRTG includes a new SSH engine as of version 16.2.24 to provide best performance and security for your SSH sensors. Please consider this SSH engine as beta: it still does not support all OpenSSH libraries but we are working on it.
If PRTG's new SSH engine does not yet work in your case, you can still use the old SSH engine as legacy version: select the Compatibility Mode for SSH Engine in the sensor or device settings. In this case, please consider the article below.
SSH Sensors and Encryption Errors
PRTG uses an underlying component that currently only provides Cipher Block Chaining Mode (CBC) for encryption of data. Though, encryption with a CBC based cipher is potentially vulnerable to the Plaintext Recovery Attack Against SSH. This security vulnerability may allow a remote unprivileged user to gain access to a portion of plain text information from intercepted traffic.
Because of this security issue, more and more distributions (for example, Solaris 11 and VMware vCenter 5.5) do not accept connections with CBC ciphers by default anymore. Instead, they accept ciphers with Counter mode (CTR) only.
When the ciphers of client and server (CBC vs. CTR) do not match, the handshake will fail and your SSH sensors show the “negotiation of encryption algorithm is failed” error message.
If your SSH sensors show this encryption failure, check also the kernel messages of your Linux distribution with the command
dmesgThe corresponding error message will look like this:
Client and server could not agree on a common cipher: […]For details about this security vulnerability in CBC mode, see
Diffie-Hellman Key Exchange (D-H)
The described issue also applies to the Diffie-Hellman key exchange method. SSH sensors currently do not support this method of exchanging cryptographic keys. You see an error message like "Server does not support diffie-hellman-group1-sha1 for key exchange" in this case.
Workaround
Currently, the best recommendation to avoid this issue is to try using other monitoring technologies than SSH. Add, for example, SNMP sensors as an alternative:
- SNMP Linux Disk Free Sensor
- SNMP Linux Load Average Sensor
- SNMP Linux Meminfo Sensor
- SNMP Linux Physical Disk Sensor
Another alternative is to add a weaker cipher to the ssh_config again.
Important notice: Do this at your own risk. We do not recommend it!
However, this approach may be a valid solution in a secure environment (LAN, VPN).
For details, please refer to linuxmanpages.com: SSHD_CONFIG.
Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.
