HPE Community
HPE Morpheus Enterprise Software
1856400 Members
6120 Online
104112 Solutions
New Discussion

Resolving 'SSH Handshake Failed' Issues in Guacd Remote Console

 
Not applicable

‎10-30-2024 01:14 AM

‎10-30-2024 01:14 AM

Resolving 'SSH Handshake Failed' Issues in Guacd Remote Console

In instances where Morpheus nodes have undergone security hardening, users may encounter connectivity issues with the remote console, specifically receiving the error message “SSH handshake failed” when debugging the guacd service. To diagnose this issue, please execute the following commands on one of the Morpheus nodes and the target VM:

ssh -Q cipher
ssh -Q mac
ssh -Q kex

For example, on the Morpheus node, you might see:

**ssh -Q cipher**
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com

**ssh -Q mac**
hmac-sha1
hmac-sha2-256
hmac-sha2-512
hmac-sha1-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com

**ssh -Q kex**
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

And on the target VM:

**ssh -Q cipher**
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

**ssh -Q mac**

hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

**ssh -Q kex**
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com

By comparing the output from the Morpheus node and the target VM, We identified discrepancies in the supported algorithms. Consequently, We updated the “/etc/ssh/sshd_config” file on the target VM with the following configurations:

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,ecdh-sha2-nistp256

After restarting the SSH service with “systemctl restart sshd” , the remote console functionality was successfully restored for the target VM within Morpheus.

Note: It is essential to implement the same adjustments in the template to ensure that all VMs created from this template do not experience remote console issues in the future.

Thanks
Velan

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.