gianni Posted June 30, 2021 Share Posted June 30, 2021 hello everyone I've enable ssh and shell in my server, but if i try to add inventory, nakivo tell me that ssh is not enable. how can i solve this problem? Thanks 1 Quote Link to comment Share on other sites More sharing options...
Mike Spragg Posted July 1, 2021 Share Posted July 1, 2021 You have to modify VMWare itself: https://helpcenter.nakivo.com/display/KB/SSH+Requirements+for+NAKIVO+Backup+and+Replication without the mods to sshd_config - it will never see it. KexAlgorithms HostKeyAlgorithms Ciphers I've include the original and replacement files. Changed: # Version 7.0.2.1 # running from inetd # Port 22 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key # Fips mode restricts ciphers to only FIPS-permitted ciphers FipsMode yes # vPP FCS_SSH_EXT.1.7: rekey after 1GB, 1H (instead of default 4GB for AES) RekeyLimit 1G, 1H SyslogFacility auth LogLevel info PermitRootLogin yes PrintMotd yes TCPKeepAlive yes # Key algorithms used in SSHv2 handshake # (ed25519 not allowed by current FIPS module) KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 UsePAM yes # only use PAM challenge-response (keyboard-interactive) PasswordAuthentication no Banner /etc/issue Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys # Timeout value of 10 mins. The default value of ClientAliveCountMax is 3. # Hence, we get a 3 * 200 = 600 seconds timeout if the client has been # unresponsive. ClientAliveCountMax 3 ClientAliveInterval 200 # sshd(8) will refuse connection attempts with a probability of "rate/100" # (30%) if there are currently "start" (10) unauthenticated connections. The # probability increases linearly and all connection attempts are refused if the # number of unauthenticated connections reaches "full" (100) MaxStartups 10:30:100 # ESXi is not a proxy server AllowTcpForwarding no AllowStreamLocalForwarding no # The following settings are all default values. They are repeated # here to simplify auditing settings (for example, DoD STIG). IgnoreRhosts yes HostbasedAuthentication no PermitEmptyPasswords no PermitUserEnvironment no StrictModes yes Compression no GatewayPorts no X11Forwarding no AcceptEnv PermitTunnel no # The following settings are disabled during the OpenSSH build. # They are commented out to avoid spurious warnings in log files. #GSSAPIAuthentication no #KerberosAuthentication no Original # Version 7.0.2.1 # running from inetd # Port 22 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key # Fips mode restricts ciphers to only FIPS-permitted ciphers FipsMode yes # vPP FCS_SSH_EXT.1.7: rekey after 1GB, 1H (instead of default 4GB for AES) RekeyLimit 1G, 1H SyslogFacility auth LogLevel info PermitRootLogin yes PrintMotd yes TCPKeepAlive yes # Key algorithms used in SSHv2 handshake # (ed25519 not allowed by current FIPS module) KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512 Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512 UsePAM yes # only use PAM challenge-response (keyboard-interactive) PasswordAuthentication no Banner /etc/issue Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys # Timeout value of 10 mins. The default value of ClientAliveCountMax is 3. # Hence, we get a 3 * 200 = 600 seconds timeout if the client has been # unresponsive. ClientAliveCountMax 3 ClientAliveInterval 200 # sshd(8) will refuse connection attempts with a probability of "rate/100" # (30%) if there are currently "start" (10) unauthenticated connections. The # probability increases linearly and all connection attempts are refused if the # number of unauthenticated connections reaches "full" (100) MaxStartups 10:30:100 # ESXi is not a proxy server AllowTcpForwarding no AllowStreamLocalForwarding no # The following settings are all default values. They are repeated # here to simplify auditing settings (for example, DoD STIG). IgnoreRhosts yes HostbasedAuthentication no PermitEmptyPasswords no PermitUserEnvironment no StrictModes yes Compression no GatewayPorts no X11Forwarding no AcceptEnv PermitTunnel no # The following settings are disabled during the OpenSSH build. # They are commented out to avoid spurious warnings in log files. #GSSAPIAuthentication no #KerberosAuthentication no 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted July 2, 2021 Share Posted July 2, 2021 Hello, @gianni! You can consult the following link https://helpcenter.nakivo.com/display/KB/SSH+Requirements+for+NAKIVO+Backup+and+Replication and follow @Mike Spragg's explanation. Let me know if it worked for you! Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted July 2, 2021 Share Posted July 2, 2021 Hey, @Mike Spragg! What an awesome response. Thank you for contributing to NAKIVO forum! Quote Link to comment Share on other sites More sharing options...
Mike Spragg Posted July 2, 2021 Share Posted July 2, 2021 3 minutes ago, Official Moderator said: Hey, @Mike Spragg! What an awesome response. Thank you for contributing to NAKIVO forum! Thank you ! I hit this problem pretty much straight away as soon as 10.3 came out. Unfortunately, there is a down side insofar as you are weakening what was a hardened system so hopefully fixed in 10.4 without the need to do this. 1 Quote Link to comment Share on other sites More sharing options...
gianni Posted July 2, 2021 Author Share Posted July 2, 2021 Thank you very much. I solved the problem, but i don't understand. This problem shows up with the latest version of vmware (7.02) because with 7.0 i never had this problem. 1 Quote Link to comment Share on other sites More sharing options...
Mike Spragg Posted July 2, 2021 Share Posted July 2, 2021 (edited) 1 minute ago, gianni said: Thank you very much. I solved the problem, but i don't understand. This problem shows up with the latest version of vmware (7.02) because with 7.0 i never had this problem. Correct, you didn't. In 7.0U2 they [VMWare] uprated/hardened the security requirements through ssh. By doing this change you've reverted that change by VMWare. Edited July 2, 2021 by Mike Spragg 1 Quote Link to comment Share on other sites More sharing options...
gianni Posted July 2, 2021 Author Share Posted July 2, 2021 3 minutes ago, Mike Spragg said: Correct, you didn't. In 7.0U2 they [VMWare] uprated/hardened the security requirements through ssh. By doing this change you've reverted that change by VMWare. ok, thanks again Mike. 1 Quote Link to comment Share on other sites More sharing options...
Ponord59 Posted July 7, 2021 Share Posted July 7, 2021 Hi # running from inetd # Port 22 what is inetd, a program? I do it via putty thanks 1 Quote Link to comment Share on other sites More sharing options...
Mike Spragg Posted July 7, 2021 Share Posted July 7, 2021 1 hour ago, Ponord59 said: Hi # running from inetd # Port 22 what is inetd, a program? I do it via putty thanks That's not the relevant part - the "file" (as I can't attach it) are shown above - you only need to modify the lines: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 This adds the right KexAlgorithm, HostKeyAlgorithms and Ciphers (the original shows what they are now in 7.0U1) The file you need to modify is /etc/ssh/sshd_config 1 Quote Link to comment Share on other sites More sharing options...
Ponord59 Posted July 7, 2021 Share Posted July 7, 2021 3 hours ago, Mike Spragg said: That's not the relevant part - the "file" (as I can't attach it) are shown above - you only need to modify the lines: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 This adds the right KexAlgorithm, HostKeyAlgorithms and Ciphers (the original shows what they are now in 7.0U1) The file you need to modify is /etc/ssh/sshd_config ok thanks it's good 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted July 8, 2021 Share Posted July 8, 2021 @Mike Spragg, thanks a lot for your contribution to our blog! Sharing is caring 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted July 8, 2021 Share Posted July 8, 2021 @Ponord59, hi! Just in case you need more information, please refer to this article: https://helpcenter.nakivo.com/display/KB/SSH+Requirements+for+NAKIVO+Backup+and+Replication Quote Link to comment Share on other sites More sharing options...
Mike Spragg Posted July 8, 2021 Share Posted July 8, 2021 2 minutes ago, Official Moderator said: @Ponord59, hi! Just in case you need more information, please refer to this article: https://helpcenter.nakivo.com/display/KB/SSH+Requirements+for+NAKIVO+Backup+and+Replication Hi - is it possible that this article is modified - it doesn't say what to change only what requirements are and a little vague. Just needs direction to modify /etc/ssh/sshd_config and to modify those lines mentioned above e.g. KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 This adds the right KexAlgorithm, HostKeyAlgorithms and Ciphers That way, it's more specific to the solution. Thanks !! 1 Quote Link to comment Share on other sites More sharing options...
Official Moderator Posted July 8, 2021 Share Posted July 8, 2021 @Mike Spragg, thank you! Quote Link to comment Share on other sites More sharing options...
Axel Posted July 20, 2021 Share Posted July 20, 2021 Hello, @Mike Spragg can you please explain how exactly the "sshd_config" file is modified? Is ist possible to make the changes remote? Maybe you can explain the necessary steps? Thank you in advance! Axel 1 Quote Link to comment Share on other sites More sharing options...
Mike Spragg Posted July 20, 2021 Share Posted July 20, 2021 34 minutes ago, Axel said: Hello, @Mike Spragg can you please explain how exactly the "sshd_config" file is modified? Is ist possible to make the changes remote? Maybe you can explain the necessary steps? Thank you in advance! Axel Either remotely collect it using Win SCP and edit it locally. Or use Vi. You just alter the 3 lines shown in the thread. You can do it remotely if you can ssh into box remotely (switch this on in VMWare). 1 Quote Link to comment Share on other sites More sharing options...
Axel Posted July 20, 2021 Share Posted July 20, 2021 Thank you so much for your help. It worked for me using win SCP. 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.