I have an old 4.1 server, and need to move 1 vm to a new server running 6.7 U2
I have been using scp, and that have worked perfectly for the 5.1 servers i have done. I only have one 4.1 missing.
In a previous post : SCP between 4.1 and 6.7 no matching KexAlgo the solution was:
After running in the same trouble
login with putty on the new 6.x hypervisor
esxcli network firewall set --enabled false
deaktivate Firewall (ssh is OUTGOING disabled)
scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@192.168.x.x:/vmfs/volumes/datastore/nameofthevm/ /vmfs/volumes/datastore/
(192.168.x.x is the "old" 4.x hypervisor)
enable firewall
esxcli network firewall set --enabled true
I have tried a bunch of commands, but they all fail due to 4.1 using the old diffie hellman sha1.
Any help would be appreciated.
[root@svrdc067v205:~] esxcli network firewall set --enabled false
[root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'
"diffie-hellman-group1-sha1" is not allowed in FIPS mode
FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.
[root@svrdc067v205:~] scp -oCiphers=3des-cbc -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'
Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
[root@svrdc067v205:~] esxcli system security fips140 ssh set --enable=false
[root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'
"diffie-hellman-group1-sha1" is not allowed in FIPS mode
FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.
[root@svrdc067v205:~] scp -oCiphers=3des-cbc -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'
Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
[root@svrdc067v205:~] esxcli system security fips140 ssh get
Enabled: false
[root@svrdc067v205:~] scp -oKexAlgorithms=+diffie-hellman-group1-sha1 -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'
"diffie-hellman-group1-sha1" is not allowed in FIPS mode
FIPS mode incompatible with SSH2 KexAlgorithms '+diffie-hellman-group1-sha1'.
[root@svrdc067v205:~] esxcli system security fips140 ssh set --enable=true
[root@svrdc067v205:~] esxcli network firewall set --enabled true
[root@svrdc067v205:~]
[root@svrdc067v205:~]
[root@svrdc067v205:~]
[root@svrdc067v205:~]
[root@svrdc067v205:~] esxcli network firewall set --enabled false
[root@svrdc067v205:~] scp -r root@10.240.205.14:'/vmfs/volumes/datastore1/Software' '/vmfs/volumes/datastore1/OVA-ISO/Software'
Unable to negotiate with 10.240.205.14 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
[root@svrdc067v205:~] esxcli network firewall set --enabled true
Otherwise I stuck with Datastore browser. 300GB would take quite some time.
All esxcli system security fips140 ssh set -e false does is replace the 'FipsMode' line with 'FipsMode no' from /etc/ssh/sshd_config.
However that doesn't actually appear to disable FipsMode within OpenSSH.
It used to work with the original 6.7 release but after applying Update 1 or later it stopped it.
Do you have any Linux system that can reach both hosts via network ? - this can be a VM on one of the hosts or a standalone physical machine ...
When I have to move VMs from host to host and run into problems I use a Linux ...
mkdir /esxi-in
mkdir /esxi-out
sshfs -o ro root@esxi41:/ /esxi-in
sshfs root@esxi67:/vmfs/volumes/datastore/target-dir /esxi-out
Then I use ddrescue to copy from /esxi-in to /esxi-out
That will be slower than using scp from host one to host 2 but it is more reliable and probably way easier to set up.
If you add the following line
FipsMode no
to /etc/ssh/ssh_config the FIPS Mode will be deactivated for SSH client.
Then you can use the approach from previous post SCP between 4.1 and 6.7 no matching KexAlgo