Print Page - SSH error "can't agree on KEX algorithms"

Title: SSH error "can't agree on KEX algorithms"
Post by: Egert143 on October 05, 2020, 09:00:41 AM

Hello

Has anyone experienced following issue: I have set NetXms to poll Mikrotik router via ssh and each time when attempt is made, router generates error "can't agree on KEX algorithms". When i log in manualy via ssh, then no error. Seems like it started with NetXms version 3.5.90. It used to work on older version and polling script hasent changed.

Egert

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Filipp Sudanov on October 05, 2020, 11:47:08 AM

So when router generates this error the connection does not happen and data is not collected?

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Victor Kirhenshtein on October 05, 2020, 12:36:30 PM

Hi,

in 3.4 we have added reading SSH config by SSH subagent - could it be that you have something configured there? Also, what KEX algorithms this Mikrotik supports? You can run ssh with -v option and check it. This is sample output from my router:

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256

Best regards,
Victor

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Egert143 on October 05, 2020, 12:39:52 PM

ssh debug from router: https://ibb.co/pwxSv02 (https://ibb.co/pwxSv02)

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Victor Kirhenshtein on October 05, 2020, 12:54:52 PM

Looks like router supports only ssh-dss and ssh-rsa as host key algorithms and they are not offered by client. You may try to add

HostKeyAlgorithms +ssh-rsa

to your .ssh/config file, or create separate config file for SSH subagent with that line and specify it in nxagentd.conf by adding

ConfigFile = path_to_config

in section [SSH].

Best regards,
Victor

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Egert143 on October 05, 2020, 01:45:44 PM

Seems like its not working when i change agent conf to include

Code Select

[SSH]
HostKeyAlgorithms +ssh-rsa

and restart agent. "cl" line didnt change in debug.

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Victor Kirhenshtein on October 05, 2020, 01:56:17 PM

In agent config you should specify path to SSH config - you cannot just put SSH configuration options to NetXMS agent config. So in nxagentd.conf you should have something like

Code Select


[SSH]
ConfigFile = /etc/nxagentd-ssh-config

and in file /etc/nxagentd-ssh-config

Code Select


HostKeyAlgorithms +ssh-rsa

Best regards,
Victor

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Egert143 on October 05, 2020, 02:17:13 PM

Still no go.

Did the following:

nxagentd.conf

Code Select


[SSH]
ConfigFile = D:\NetXMS\etc\nxagentd-ssh-config.conf

nxagentd-ssh-config.conf

Code Select

HostKeyAlgorithms +ssh-rsa

restarted agent. In router ssh debug CL line doesent include ssh-rsa

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Egert143 on October 09, 2020, 08:25:44 AM

Any other ideas ? :) Would be quite bad if Netxms support for Mikrotik ssh is broken.

Title: Re: SSH error "can't agree on KEX algorithms"
Post by: Egert143 on October 15, 2020, 12:19:28 PM

Got it working:

File: nxagentd-ssh-config.conf

Code Select

HostKeyAlgorithms ssh-dss
KexAlgorithms diffie-hellman-group1-sha1

NetXMS Support Forum

English Support => General Support => Topic started by: Egert143 on October 05, 2020, 09:00:41 AM