After updating to PRTG v 22.2.76.1705 we are getting a : Invalid key exchange algorithm error in our SSH/SFTP sensor when connecting to Serv-U FTP.

With the SSH sensor in compatibility mode we get the error "Invalid key exchange algorithm" with the default SSH sensor mode, we get the following error

"Failed to connect. Please check the SSH log of the target device or try the Compatibility Mode of the sensor's SSH engine and consider updating the target system's operating system. Reason: ssh_connect failed (-1)kex error : no match for method server host key algo: server [ssh-dss], client [ssh-rsa]"

Is the 22.2.76.1705 version using a new SSH engine? Any advice?

Article Comments

Hello,

We exactly have the same problem connecting to all our Linux systems over SSH. Tried to fix settings on the Linux systems but couldn't resolve it.

Any workaround? Will open a support ticket soon.


May, 2022 - Permalink

Hello

We updated the SSH library that SSH sensors use to monitor the target devices. The update improves the security of SSH sensors. We now use libssh 0.9.6 with openssl 1.1.1. In addition we follow the security guidelines here: https://www.ssh-audit.com/hardening_guides.html


May, 2022 - Permalink

Hello there
You are right.
We are trying to broaden our list again a bit, to increase support for customers having problems with their 7+ year old systems. Our PaeLibSSH does have a very restrictive list of supported algorithms.

We are investigating the possibility to increase our list. but this is just being discussed as of right now, hence I don't have an ETA.


Jun, 2022 - Permalink

Thank you for the update. Do you have a simple, concise list of supported algorithms in the new SSH engine AND a separate consise list for the compatability mode? ( edit.. added request for compatibilty mode ciphers/keys )

This would help see if our existing software has an overlapping algorithms and would be clear information to provide to other vendors.

Thank you .


Jun, 2022 - Permalink

For anyone looking to support Barracuda CloudGen Firewall with the new SSH restrictions. The firewalls only support DSA and ECDSA SSH host keys. PRTG does not support these SSH host keys anymore. PRTG only supports RSA or ED25519.

You can switch to Compatibility mode in PRTG and modify the SSHD configuration on the firewall. Replace existing lines with: KexAlgorithms +diffie-hellman-group14-sha1 Ciphers +aes256-ctr,aes128-cbc

And restart sshd afterwards: /etc/init.d/sshd restart

Please note if your firewall is attached to a Control Center and you make modifications to the SSH configuration, the changes will be overwritten. Also upgrading the device will overwrite the changes, so the workaround is not ideal at all.

Please PRTG, add the previous SSH options in PRTG compatibility mode. Now, these devices are sort of "in between". We have to lower the SSH security on the devices to have them supported in Compatibility mode.


Jun, 2022 - Permalink

Hello there,

This is currently planned to add more algorithms (including ECDSA) to the list, however there is no clear ETA yet for it I'm afraid. The new algorithms should be added in one of the next two/three versions (v77 excluded) of PRTG.

Note: Here is a KB article where you will find the existing algorithms used: https://helpdesk.paessler.com/en/support/solutions/articles/76000063051-which-encryption-algorithms-do-prtg-ssh-sensors-support

Regards.


Jun, 2022 - Permalink