VMware Cloud Community
DLally
Enthusiast
Enthusiast
‎05-25-2016 09:29 AM
Jump to solution

Algorithm negotiation fail

I have a workflow in orchestrator that I've ran before that cycles through volumes and runs UNMAP commands.  This has worked before, but from what I've read.  ESXi 6 update 2, ssh updated and I'm guessing that broke my job from running.

Every time I run my workflow I get an error: Unable to execute command InternalError: Algorithm negotiation fail error.

I did find some KB from VMWare on this, but it was for an older version of vCO.  I still tried it by adding this to my session..

session.setInfo("cipher.s2c", "aes128-cbc,aes256-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr");

session.setInfo("cipher.c2s", "aes128-cbc,aes256-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr");


Still does not work.


Any ideas?  I'd really appreciate it.

0 Kudos
1 Solution

Accepted Solutions
ThomasK72
VMware Employee
VMware Employee
‎06-09-2016 01:11 PM
Jump to solution

Hi,

You could start tcpdump or Wireshark on the ssh server to find out which algorithms are accepted by the server and compare it to the algorithms offered by the ssh client.

I got the same error trying to connect from vRO 6.0.2 to Ubuntu 16.04 LTS and adding those lines to my sshd_config did it:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1




Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

Actually the KexAlgorithms did not match according to Wireshark.

Best regards

Thomas

View solution in original post

0 Kudos
11 Replies
iiliev
VMware Employee
VMware Employee
‎05-25-2016 10:00 AM
Jump to solution

If you are sure that these are the ciphers you need, could you try to add the following line to file /etc/vco/app-server/vmo.properties and restart vRO service for changes to take effect (service vco-server restart)

com.vmware.o11n.ssh.cipher=aes128-cbc,aes256-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr

The above assumes cipher.s2c and cipher.c2s will have the same set of ciphers. If you want to provide different set of ciphers, you can by setting their values again in vmo.properties file using the properties com.vmware.o11n.ssh.cipher.s2c and com.vmware.o11n.ssh.cipher.c2s

0 Kudos
DLally
Enthusiast
Enthusiast
‎05-25-2016 10:27 AM
Jump to solution

I guess i'm not sure which cipher is needed.

https://v-reality.info/2014/08/vmfs-datastore-unmap-using-vcenter-orchestrator/

The link there is where I got the workflow from.  How would i determine which cipher I need, or is that possible?

0 Kudos
iiliev
VMware Employee
VMware Employee
‎05-25-2016 10:52 AM
Jump to solution

I don't have ESXi 6 u2 host at hand to verify it, but here are few suggestions:

  • Connect to your ESXi host and open the file /etc/ssh/sshd_config. Inside it, there should be a line starting with Ciphers, followed by a list of cipher names - try to add these in vRO
  • Check vRO log files under /var/log/vco/app-server/, perhaps there is some more info about the connection error.
  • Google for eg. esxi ssh ciphers - there could be some useful info available
0 Kudos
DLally
Enthusiast
Enthusiast
‎05-25-2016 11:10 AM
Jump to solution

No luck so far.

My host shows:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc

So I addeded the following line to my vmo.properties

com.vmware.o11n.ssh.cipher=aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc

I'm still getting the algorithm negotiation fail

0 Kudos
DLally
Enthusiast
Enthusiast
‎05-25-2016 11:16 AM
Jump to solution

Not sure if this is helpful, but found it in the scripting.log

2016-05-25 10:14:30.619-0500 INFO  {user:8af9c09c54bb0fa00154e87b39ac0de4} [SCRIPTING_LOG] Registration of VS-O public key on 'host' for user 'root' failed.InternalError: java.net.ConnectException: Connection refused (Dynamic Script Module name : registerVSOonHost#5) (Dynamic Script Module name : registerVSOonHost#30)

2016-05-25 10:15:01.631-0500 INFO  {luser:8af9c09c54bb0fa00154e87bb2cd0deb} [SCRIPTING_LOG] Registration of VS-O public key on 'host' for user 'root' failed.InternalError: Algorithm negotiation fail (Dynamic Script Module name : registerVSOonHost#5) (Dynamic Script Module name : registerVSOonHost#30)

0 Kudos
kujeter
Enthusiast
Enthusiast
‎05-26-2016 06:56 AM
Jump to solution

Looks like you are trying to connect with the root user, do you perhaps not have "PermitRootLogin yes" set in the sshd_config file?

0 Kudos
DLally
Enthusiast
Enthusiast
‎05-27-2016 05:45 AM
Jump to solution

Correct, it is permitted.

0 Kudos
DLally
Enthusiast
Enthusiast
‎06-02-2016 12:05 PM
Jump to solution

Anyone got any ideas? Smiley Sad

0 Kudos
ThomasK72
VMware Employee
VMware Employee
‎06-09-2016 01:11 PM
Jump to solution

Hi,

You could start tcpdump or Wireshark on the ssh server to find out which algorithms are accepted by the server and compare it to the algorithms offered by the ssh client.

I got the same error trying to connect from vRO 6.0.2 to Ubuntu 16.04 LTS and adding those lines to my sshd_config did it:

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1




Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

Actually the KexAlgorithms did not match according to Wireshark.

Best regards

Thomas

0 Kudos
DLally
Enthusiast
Enthusiast
‎06-29-2016 08:39 AM
Jump to solution

So i tried what you said on my host and that got my job working again.

Are there any negatives by leaving these in place on my host? 

0 Kudos
ThomasK72
VMware Employee
VMware Employee
‎07-11-2016 10:17 AM
Jump to solution

Actually you are potentially weakening the security by enabling old and/or less secure algorithms.

Thomas

0 Kudos