Challenge
When attempting to add a managed Linux server, you may receive one of the errors below.
Failed to negotiate key exchange algorithm Client encryption algorithm not found Server HMAC algorithm not found
Cause
When Veeam connects to a Linux target, we require Diffie-Helman key exchange capabilities for successful secure connections and to reduce the possibility that a password will not be intercepted when authenticating to the storage. In some Linux distributions, /etc/ssh/sshd_conf is missing the KexAlgorithms and Cipher fields to describe which methods are supported by the SSH daemon.
Solution
Review the configuration of your /etc/ssh/sshd_config file and verify at least one of the Ciphers, KexAlgorithms, and MACs listed below are present
Supported ciphers:
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, blowfish-cbc, cast128-cbc, arcfour, twofish
Supported Key Exchange algorithms:
diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
Supported HMACs
hmac-md5, hmac-md5-96, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, hmac-sha2-512-96, hmac-ripemd160, hmac-ripemd160@openssh.com
See the man page for your sshd_config file and/or query for the supported ciphers, key exchange algorithms and keyed-hash message authentication codes using the following command:
sshd -T
If needed, modify the sshd_config file. Then, to generate the newly added keys, run
ssh-keygen -A
and restart the sshd service on the machine (reboot works fine, too).
More Information
Some systems offer an option in the GUI to disable or re-enable SSH logon, but these do not always actually restart the daemon. Typically, it is best to restart the service using the command
service ssh restart
or your distribution’s equivalent.