I have a workflow in orchestrator that I've ran before that cycles through volumes and runs UNMAP commands. This has worked before, but from what I've read. ESXi 6 update 2, ssh updated and I'm guessing that broke my job from running.
Every time I run my workflow I get an error: Unable to execute command InternalError: Algorithm negotiation fail error.
I did find some KB from VMWare on this, but it was for an older version of vCO. I still tried it by adding this to my session..
session.setInfo("cipher.s2c", "aes128-cbc,aes256-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr");
session.setInfo("cipher.c2s", "aes128-cbc,aes256-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr");
Still does not work.
Any ideas? I'd really appreciate it.
Hi,
You could start tcpdump or Wireshark on the ssh server to find out which algorithms are accepted by the server and compare it to the algorithms offered by the ssh client.
I got the same error trying to connect from vRO 6.0.2 to Ubuntu 16.04 LTS and adding those lines to my sshd_config did it:
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
Actually the KexAlgorithms did not match according to Wireshark.
Best regards
Thomas
If you are sure that these are the ciphers you need, could you try to add the following line to file /etc/vco/app-server/vmo.properties and restart vRO service for changes to take effect (service vco-server restart)
com.vmware.o11n.ssh.cipher=aes128-cbc,aes256-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr
The above assumes cipher.s2c and cipher.c2s will have the same set of ciphers. If you want to provide different set of ciphers, you can by setting their values again in vmo.properties file using the properties com.vmware.o11n.ssh.cipher.s2c and com.vmware.o11n.ssh.cipher.c2s
I guess i'm not sure which cipher is needed.
https://v-reality.info/2014/08/vmfs-datastore-unmap-using-vcenter-orchestrator/
The link there is where I got the workflow from. How would i determine which cipher I need, or is that possible?
I don't have ESXi 6 u2 host at hand to verify it, but here are few suggestions:
No luck so far.
My host shows:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
So I addeded the following line to my vmo.properties
com.vmware.o11n.ssh.cipher=aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc
I'm still getting the algorithm negotiation fail
Not sure if this is helpful, but found it in the scripting.log
2016-05-25 10:14:30.619-0500 INFO {user:8af9c09c54bb0fa00154e87b39ac0de4} [SCRIPTING_LOG] Registration of VS-O public key on 'host' for user 'root' failed.InternalError: java.net.ConnectException: Connection refused (Dynamic Script Module name : registerVSOonHost#5) (Dynamic Script Module name : registerVSOonHost#30)
2016-05-25 10:15:01.631-0500 INFO {luser:8af9c09c54bb0fa00154e87bb2cd0deb} [SCRIPTING_LOG] Registration of VS-O public key on 'host' for user 'root' failed.InternalError: Algorithm negotiation fail (Dynamic Script Module name : registerVSOonHost#5) (Dynamic Script Module name : registerVSOonHost#30)
Looks like you are trying to connect with the root user, do you perhaps not have "PermitRootLogin yes" set in the sshd_config file?
Correct, it is permitted.
Anyone got any ideas?
Hi,
You could start tcpdump or Wireshark on the ssh server to find out which algorithms are accepted by the server and compare it to the algorithms offered by the ssh client.
I got the same error trying to connect from vRO 6.0.2 to Ubuntu 16.04 LTS and adding those lines to my sshd_config did it:
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr
Actually the KexAlgorithms did not match according to Wireshark.
Best regards
Thomas
So i tried what you said on my host and that got my job working again.
Are there any negatives by leaving these in place on my host?
Actually you are potentially weakening the security by enabling old and/or less secure algorithms.
Thomas