Follow

Zenoss Resource Manager cannot monitor targets with upgraded OpenSSH server

Applies To

  • Zenoss Resource Manager, all versions up to and including 5.1.x
  • OpenSSH 1.6.9 (OpenSSH 6.9+)

Summary

Zenoss Resource Manager cannot currently monitor targets with upgraded SSH packages of version 1.6.9 and higher (OpenSSH 6.9+).

OpenSSH 6.9 deprecated support for the protocol message SSH2_MSG_KEX_DH_GEX_REQUEST_OLD. The underlying SSH communication library Zenoss uses requires SSH2_MSG_KEX_DH_GEX_REQUEST_OLD to communicate with SSH targets. See the following release note link for details: http://www.openssh.com/txt/release-6.9

Procedures

Determine the OpenSSH version

  1. Display the installed OpenSSH version:
    • For CentOS/RHEL systems:
      # sshd -V
    • For Debian/Ubuntu systems:
      # apt-cache show ssh
  2. Consult the output, for example this shows version 6.7:
    Package: ssh
    Source: openssh  
    Version: 1:6.7p1-5+deb8u2
    Installed-Size: 160
    ...
    

Workaround

To work around this known issue, there are currently two options:

  1. Revert/downgrade the target SSH package to a version lower than 1.6.9 (OpenSSH 6.9+).
  2. Switch the monitoring of the affected targets to use SNMP.

 

Was this article helpful?
1 out of 1 found this helpful

Comments

  • Avatar
    Cisco TAC

    How old is this article and does it still pertain today with Zenoss 5.1.6? Customer trying to SSH to RHEL 7.0 with OpenSSH 6.4p1 and CentOS 6.7 with OpenSSH 7.1p1 and getting a connection timeout. However with older CentOS 5.4 with OpenSSH 4.3p2, it works fine.

  • Avatar
    Richard Derr**SUSPENDED**

    The applies to section says including 5.1.x, so I assume 5.1.6 is covered. However, with 5.2 and 5.3 out, I can't tell whether it's still true that only <=5.1.x is impacted or if it's really all versions. We need clarification.

Powered by Zendesk