[ZBXNEXT-8091] Cannot establish SSH session: kex error rsa sha1 Created: 2022 Oct 24  Updated: 2024 Apr 10  Resolved: 2023 Mar 17

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Proxy (P), Server (S)
Affects Version/s: 6.2.3
Fix Version/s: 6.4.0rc1, 6.4 (plan)

Type: Change Request Priority: Major
Reporter: Yury Larin Assignee: Armands Arseniuss Skolmeisters
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 22.04

Attachments: File test_get_value_ssh.c.gz    
Issue Links:
Duplicate
Team: Team C
Sprint: Sprint 94 (Nov 2022), Sprint 95 (Dec 2022), Sprint 96 (Jan 2023), Sprint 97 (Feb 2023), Sprint 98 (Mar 2023)
Story Points: 2

 Description   

Steps to reproduce:

  1. In Zabbix create SSH check to old device like Cisco with RSA SHA1 only KEX.
  2. When you try to get data you have error: 
  3. Cannot establish SSH session: kex error : no match for method server host key algo: server [ssh-rsa], client [ssh-dss]

Result:

  • Cannot establish SSH session: kex error : no match for method server host key algo: server [ssh-rsa], client [ssh-dss] 
  • Looks like libssh in Zabbix ignores ~/.ssh/config and glogal ssh_config files.

Expected:
Getting data via ssh due to add to config file rsa:

 

cat /home/zabbix/.ssh/config
Host *
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
HostKeyAlgorithms +ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes +ssh-rsa


 Comments   
Comment by Armands Arseniuss Skolmeisters [ 2023 Jan 16 ]

Available in versions:
Part 1: split ssh code depending on target library

Part 2: added support for legacy additional SSH options

Part3: fixed minor warnings

Comment by Marina Generalova [ 2023 Feb 13 ]

Documentation updated:

Comment by Milan Kordik [ 2023 Feb 28 ]

The documentation for 6.4.0rc2 provides an example of writing

ssh.run[KexAlgorithms,,,,"KexAlgorithms=diffie-hellman-group1-sha1;HostkeyAlgorithms=ssh-rsa,ssh-dss,ecdh-sha2-nistp256"]

This syntax reverts to version 6.4.0rc2 : became not supported: Too many parameters.

In my case, the record is:
ssh.run[hpraid.data.retrieval,,,,"KexAlgorithms=diffie-hellman-group1-sha1;HostkeyAlgorithms=ssh-rsa,ssh-dss,ecdh-sha2-nistp256"]

<askolmeisters> Cannot replicate. Please provide server version with command zabbix_server -V

zabbix_server (Zabbix) 6.4.0rc2
Revision 515ced75ff1 21 February 2023, compilation time: Feb 27 2023 11:30:49

Copyright (C) 2023 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

for addition: the installed version of the SSH client

libssh-4:amd64      0.9.5-1+deb11u1 amd64        tiny C SSH library (OpenSSL flavor)
libssh2-1:amd64     1.9.0-2         amd64        SSH2 client-side library
libssh2-1-dev:amd64 1.9.0-2         amd64        SSH2 client-side library (development headers)

This is not a clean installation, but an upgrade from the original 5.4 ==> 6.0 and now compiled 6.4rc2.

Comment by Andris Mednis [ 2023 Mar 01 ]

Milan, are you sure that 6.4rc2 is actually running ? From 6.4rc2 source code - ssh.run[] should support 5 parameters, "Too many parameters" should be from 6 parameters.

Comment by Milan Kordik [ 2023 Mar 01 ]

You're right. Although the installed version is 6.4.0rc2, it remained without 6.0. Thank you very much for your help.

Comment by Andris Mednis [ 2023 Mar 01 ]

Thanks to askolmeisters for proposing the root cause for this issue!

Generated at Sun Apr 20 21:19:14 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.