Applies To
- Zenoss Resource Manager, all versions up to and including 5.1.x
- OpenSSH 1.6.9 (OpenSSH 6.9+)
Summary
Zenoss Resource Manager cannot currently monitor targets with upgraded SSH packages of version 1.6.9 and higher (OpenSSH 6.9+).
OpenSSH 6.9 deprecated support for the protocol message SSH2_MSG_KEX_DH_GEX_REQUEST_OLD. The underlying SSH communication library Zenoss uses requires SSH2_MSG_KEX_DH_GEX_REQUEST_OLD to communicate with SSH targets. See the following release note link for details: http://www.openssh.com/txt/release-6.9
Procedures
Determine the OpenSSH version
- Display the installed OpenSSH version:
- For CentOS/RHEL systems:
# sshd -V
- For Debian/Ubuntu systems:
# apt-cache show ssh
- For CentOS/RHEL systems:
- Consult the output, for example this shows version 6.7:
Package: ssh Source: openssh Version: 1:6.7p1-5+deb8u2 Installed-Size: 160 ...
Workaround
To work around this known issue, there are currently two options:
- Revert/downgrade the target SSH package to a version lower than 1.6.9 (OpenSSH 6.9+).
- Switch the monitoring of the affected targets to use SNMP.
How old is this article and does it still pertain today with Zenoss 5.1.6? Customer trying to SSH to RHEL 7.0 with OpenSSH 6.4p1 and CentOS 6.7 with OpenSSH 7.1p1 and getting a connection timeout. However with older CentOS 5.4 with OpenSSH 4.3p2, it works fine.
The applies to section says including 5.1.x, so I assume 5.1.6 is covered. However, with 5.2 and 5.3 out, I can't tell whether it's still true that only <=5.1.x is impacted or if it's really all versions. We need clarification.