Skip to main content
Question

Running VBR 12.3.0. VBR backup server getting "Permission denied (public key)"

G
  • ggsc
  • New Here
  • 4 comments

I am currently running Veeam Backup & Replication (VBR) version 12.3.0 and encountering the error "Permission denied (public key)" when trying to add a component server running Ubuntu 22 using SSH keys.

Upon reviewing the logs on the Ubuntu 22 component server, I repeatedly see the following error:

"Unable to negotiate with 10.0.0.8 port 64513: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]."

It appears the VBR backuo server is offering outdated or non-compliant algorithms, such as diffie-hellman-group1-sha1, hmac-sha1, and also requires the deprecated ssh-rsa for public key authentication.

As a result, my SSH connection from the backup server (10.0.0.8) to the component server fails, and I see the "Permission denied (public key)" error in the VBR console.

I prefer to use SSH keys for authentication, and the SSH configuration (sshd_config) on the component server includes the following settings:

GSSAPI Key Exchange Algorithms: gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-
Ciphers: aes128-ctr,aes192-ctr,aes256-ctr
MACs: hmac-sha2-256,hmac-sha2-512
Key Exchange Algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

It seems that the backup server is still accepting outdated key exchange methods and algorithms (diffie-hellman-group1-sha1, hmac-sha1), which are not compliant with current security standards. Could the VBR backup server configuration be adjusted to disable these deprecated algorithms and ensure compatibility with modern, secure methods for SSH key-based authentication?

 

 

 

 

 

9 comments

Chris.Childerhose
Forum|alt.badge.img+21

You can disable them but that is not a Veeam thing but Microsoft.  Check the web for hardening scripts and I think there is some on here for windows too.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Tommy O'Shea
1 person likes this
  • Tommy O'Shea
    Tommy O'Shea
G
  • ggsc
  • Author
  • New Here
  • 4 comments
  • March 28, 2025

I used Putty to SSH from the VBR backup server, employing the same SSH keys that I typically use to connect the VBR backup server to the component server, and I was able to connect successfully. However, when I attempted to use the same SSH key on the VBR backup server itself, the connection failed

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Chris.Childerhose
Forum|alt.badge.img+21

I would suggest at this point to open a support ticket and then also post in the forums which is a more technical place - https://forums.veeam.com

 

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
G
  • ggsc
  • Author
  • New Here
  • 4 comments
  • March 28, 2025

Thanks Chris

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Chris.Childerhose
Forum|alt.badge.img+21

Not a problem.  Let us know how you make out and what the solution ends up being.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
G
  • ggsc
  • Author
  • New Here
  • 4 comments
  • March 28, 2025

looks lime the forums is locked to R&D and not support issues.  I tried to register but I have not received any email approval yet.

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Chris.Childerhose
Forum|alt.badge.img+21
ggsc wrote:

looks lime the forums is locked to R&D and not support issues.  I tried to register but I have not received any email approval yet.

Give it time as you will get and check Spam/Junk too.  It is not just for R&D but keep in mind you need a support case ID to post technical questions there.

 
 
 
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
G
  • ggsc
  • Author
  • New Here
  • 4 comments
  • March 28, 2025

Thanks for the information.

 

I will share them my ticket as soon as I am in the forum

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
D
Forum|alt.badge.img+3
  • ddomask
  • Comes here often
  • 115 comments
  • March 31, 2025

Please open a Support Case and let support review.

Veeam will try one of 3 SSH libraries: Granados, Renci, Rebex

Granados is the only one that uses diffie-helman-sha1, and it’s kept for legacy systems (I believe it’s going away in v13), and that’s what is returning the diffie-helman-sha1 error; internally, Veeam will continue past a failure here and try the next two libraries. If none work, then it returns the error from the first library tested.

So likely the issue is about ciphers/kexts, but not clear which one.

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=120#encrypted-communication

These are the ones Veeam supports, but it’s best to let Support check the logs, it should tell pretty plainly what the issue is.

0x0D 0x0A
Tommy O'Shea
1 person likes this
  • Tommy O'Shea
    Tommy O'Shea

Comment


Terms & Conditions