Skip to main content
Delphix

Resolving Unable to SSH to Host Error - exception.host.ssh.connection.failed (KBA7955)

 

KBA

KBA# 7955

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

Issue

When trying to add a new environment or refresh an existing environment, the action fails with an error like the following:

Error: Unable to SSH to host "snoopy.acme.com".
Error Code: exception.host.ssh.connection.failed
Suggested Action: Make sure "snoopy.acme.com" is running and is reachable via SSH from the Delphix Engine.
Diagnosing Information: Reached a server listening on port 22 on host "snoopy.acme.com" from the Delphix Engine. 

This error generally happens on Delphix versions prior to 6.x when trying to add new or refresh existing environments because the Linux host does not allow SHA1 (Secure Hash Algorithm 1). Recent versions of Linux have deprecated SHA1 and removed support for it from the "sshd_config" file.

Troubleshooting Unable to SSH to Host Due to "Cannot negotiate, proposals do not match" Error

On some versions of Linux, it may be possible to review the /etc/ssh/sshd_config file to see which algorithms are supported. On others, you may need to run the following command as the root user to get a listing of the supported ciphers, key exchanges, and MACs:

# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
gssapikexalgorithms gss-gex-sha1-,gss-group14-sha1-
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

 

Note

Note:

Do not rely on the Delphix Engine ssh CLI connectivity test. It will succeed because partial support for SHA2 was added to Delphix 5.3.6.0 through 5.3.9.0.

Resolution

To resolve the issue there are two options:

  1. Upgrade to Delphix 6.x which fully supports SHA2.
  2. Add back support for SHA1 until it is possible to upgrade the Delphix Engine to 6.x by updating the sshd_config of the target host with:
  • Any of the following Key Exchanges:
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • Any of the following ciphers:
    • 3des-cbc
    • aes128-cbc
  • Any of the following MACs:
    • hmac-sha1
    • hmac-md5

After updating the sshd_config with the above, it is necessary to restart the sshd daemon.