1

Zabbix 7.2
OS Oracle Linux 9.6

I have a legacy switch that is monitored by a Zabbix Proxy and has SSH items configured. However, the SSH items are unable to reach the host due to a mismatch in Kex algorithms.
Here's the error message that Zabbix displays:

Cannot establish SSH session: kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1], client [curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]

I'm unable to connect to the switch from the Proxy terminal either, with basically the same error message.

So, I've added the following configuration to the proxy /etc/ssh/ssh_config file.

Host 10.22.200.89 KexAlgorithms ^diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 MACs ^hmac-sha1,hmac-sha1-96

Also, the /etc/ssl/openssl.cnf file is configured to allow legacy algorithms.

[ evp_properties ] rh-allow-sha1-signatures = yes [provider_sect] default = default_sect legacy = legacy_sect [legacy_sect] activate = 1

After making this configuration change, I can SSH to the host from the Proxy CLI with my own user.

However, the error remains the same when connecting from Zabbix itself. enter image description here


When I try to manually SSH to the switch via the Zabbix Proxy terminal with the zabbix user, the host key also fails.

# su - zabbix -c "ssh -vvv [email protected]" OpenSSH_8.7p1, OpenSSL 3.2.2 4 Jun 2024 debug1: Reading configuration data /etc/ssh/ssh_config debug3: kex names ok: [diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug1: /etc/ssh/ssh_config line 13: Applying options for * debug2: resolve_canonicalize: hostname 10.22.200.89 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/var/lib/zabbix/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/var/lib/zabbix/.ssh/known_hosts2' debug3: ssh_connect_direct: entering debug1: Connecting to 10.22.200.89 [10.22.200.89] port 22. debug3: set_sock_tos: set socket 5 IP_TOS 0x48 debug1: Connection established. debug1: identity file /var/lib/zabbix/.ssh/id_rsa type -1 debug1: identity file /var/lib/zabbix/.ssh/id_rsa-cert type -1 debug1: identity file /var/lib/zabbix/.ssh/id_dsa type -1 debug1: identity file /var/lib/zabbix/.ssh/id_dsa-cert type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ecdsa type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ecdsa-cert type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ecdsa_sk type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ed25519 type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ed25519-cert type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ed25519_sk type -1 debug1: identity file /var/lib/zabbix/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /var/lib/zabbix/.ssh/id_xmss type -1 debug1: identity file /var/lib/zabbix/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.7 debug1: Remote protocol version 1.99, remote software version Cisco-1.25 debug1: compat_banner: match: Cisco-1.25 pat Cisco-1.* compat 0x60000000 debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 10.22.200.89:22 as 'switchuser' debug1: load_hostkeys: fopen /var/lib/zabbix/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /var/lib/zabbix/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: no algorithms matched; accept original debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected] debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: MACs stoc: [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: hmac-sha1,hmac-sha1-96 debug2: MACs stoc: hmac-sha1,hmac-sha1-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: diffie-hellman-group-exchange-sha1 debug1: kex: host key algorithm: ssh-rsa debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20 debug1: kex: diffie-hellman-group-exchange-sha1 need=20 dh_need=20 debug3: send packet: type 34 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<4096<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_DH_GEX_GROUP received debug3: send packet: type 32 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: receive packet: type 33 debug1: SSH2_MSG_KEX_DH_GEX_REPLY received debug1: Server host key: ssh-rsa SHA256:ycZPa..[redacted] debug1: load_hostkeys: fopen /var/lib/zabbix/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /var/lib/zabbix/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/var/lib/zabbix/.ssh/known_hosts" debug1: hostkeys_find_by_key_hostfile: hostkeys file /var/lib/zabbix/.ssh/known_hosts does not exist debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/var/lib/zabbix/.ssh/known_hosts2" debug1: hostkeys_find_by_key_hostfile: hostkeys file /var/lib/zabbix/.ssh/known_hosts2 does not exist debug3: hostkeys_find_by_key_hostfile: trying system hostfile "/etc/ssh/ssh_known_hosts" debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts does not exist debug3: hostkeys_find_by_key_hostfile: trying system hostfile "/etc/ssh/ssh_known_hosts2" debug1: hostkeys_find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exist debug1: read_passphrase: can't open /dev/tty: No such device or address Host key verification failed.

As I understand it, the Proxy should handle the SSH connection to the monitored host. It seems that no matter what SSH configuration I try, it does not affect the Zabbix connection. So, I'm not sure what the issue is.

Has anyone encountered this issue before?

Improve this question
0

1 Answer 1

Reset to default
1

The issue lies in Zabbix's use of libssh, which cannot be configured from the OS. The configuration must be done within Zabbix itself.

I had completely overlooked the "SSH options" parameter in the Zabbix SSH item key. After adding the correct options, the item worked as intended.

Something like:

ssh.run["comment",,,,"KexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1;MACs=hmac-sha1,hmac-sha1-96;HostkeyAlgorithms=ssh-rsa"]
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.