VMware Cloud Community
Eltelnetworks
Contributor
Contributor
‎08-15-2019 04:35 AM

SCP between 4.1 and 6.7

I have an old 4.1 server, and need to move 1 vm to a new server running 6.7 U2

I have been using scp, and that have worked perfectly for the 5.1 servers i have done. I only have one 4.1 missing.

In a previous post : SCP between 4.1 and 6.7 no matching KexAlgo the solution was:

After running in the same trouble

login with putty on the new 6.x hypervisor

esxcli network firewall set --enabled false

deaktivate Firewall (ssh is OUTGOING disabled)

scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@192.168.x.x:/vmfs/volumes/datastore/nameofthevm/ /vmfs/volumes/datastore/

(192.168.x.x is the "old" 4.x hypervisor)

enable firewall

esxcli network firewall set --enabled true

I have tried a bunch of commands, but they all fail due to 4.1 using the old diffie hellman sha1.

Any help would be appreciated.

[root@svrdc067v205:~] esxcli network firewall set --enabled false

[root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

"diffie-hellman-group1-sha1" is not allowed in FIPS mode

FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.

[root@svrdc067v205:~] scp -oCiphers=3des-cbc -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

[root@svrdc067v205:~] esxcli system security fips140 ssh set --enable=false

[root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

"diffie-hellman-group1-sha1" is not allowed in FIPS mode

FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.

[root@svrdc067v205:~] scp -oCiphers=3des-cbc -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

[root@svrdc067v205:~] esxcli system security fips140 ssh get

   Enabled: false

[root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

"diffie-hellman-group1-sha1" is not allowed in FIPS mode

FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.

[root@svrdc067v205:~] esxcli system security fips140 ssh set --enable=true

[root@svrdc067v205:~] esxcli network firewall set --enabled true

[root@svrdc067v205:~]

[root@svrdc067v205:~]

[root@svrdc067v205:~]

[root@svrdc067v205:~]

[root@svrdc067v205:~] esxcli network firewall set --enabled false

[root@svrdc067v205:~] scp -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'

Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

[root@svrdc067v205:~] esxcli network firewall set --enabled true

Otherwise I stuck with Datastore browser. 300GB would take quite some time. Smiley Sad

0 Kudos
3 Replies
Eltelnetworks
Contributor
Contributor
‎08-15-2019 05:22 AM

All esxcli system security fips140 ssh set -e false does is replace the 'FipsMode' line with 'FipsMode no' from /etc/ssh/sshd_config.

However that doesn't actually appear to disable FipsMode within OpenSSH.

It used to work with the original 6.7 release but after applying Update 1 or later it stopped it.

0 Kudos
continuum
Immortal
Immortal
‎08-15-2019 08:31 AM

Do you have any Linux system that can reach both hosts via network ? - this can be a VM on one of the hosts or a standalone physical machine ...

When I have to move VMs from host to host and run into problems I use a Linux ...

mkdir /esxi-in

mkdir /esxi-out

sshfs -o ro root@esxi41:/ /esxi-in

sshfs root@esxi67:/vmfs/volumes/datastore/target-dir /esxi-out

Then I use ddrescue to copy from /esxi-in to /esxi-out

That will be slower than using scp from host one to host 2 but it is more reliable and probably way easier to set up.


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

0 Kudos
hgaida
Contributor
Contributor
‎09-01-2019 11:34 AM

If you add the following line

FipsMode no

to /etc/ssh/ssh_config the FIPS Mode will be deactivated for SSH client.

Then you can use the approach from previous post SCP between 4.1 and 6.7 no matching KexAlgo

0 Kudos