I logged into the backup host and re-ran the repository resync process, to be greeted by the same error.
 |
| Synology DSM 5.1 error |
As it turns out, this version of SSH doesn't enable the required key exchange protocol by default; luckily, that's an easy edit of the /etc/ssh/sshd_config file. And to play it safe, I added not only the needed Kex parameter, I also added the published defaults.
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1After restarting SSH in the DSM control panel, then re-scanning the repository, all was not quite fixed:
Back to the manfile for sshd_conf...
The list of supported ciphers is impressive, but rather than add all of them into the list, I thought it would be useful to get a log entry from the daemon itself as it negotiated the connection with the client. Unfortunately, it wasn't clear where it was logging, so it took some trial-and-error with the config settings before I found a useful set of parameters:
SyslogFacility USERAt that point, performing a rescan resulted in an entry in /var/log/messages:
LogLevel DEBUG
Ciphers aes128-cbc,blowfish-cbc,3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.comOne more rescan, and all was well, making it possible to retry the failed jobs.
Follow Up
There have been responses of both successes and failures from people using this post to get their repository back on line. I'm not sure what's going on, but I'll throw in these additional tips for editing sshd_config:
- Each of these entries (KexAlgorithms and Ciphers) are single line entries. You must have the keyword—case sensitive— followed by a single space, followed by the entries without whitespace or breaks.
- There's a spot in the default sshd_config that "looks" like the right place to put these entries; that's where I put them. It's a heading labelled "# Ciphers and keying." Just drop them into the space before the Logging section. In the screenshot below, you can see how there's no wrap, no whitespace, etc. This works for me.
- Restart the SSH service. You can use the command line (I recommend using telnet during this operation, or you'll loose your SSH connection as the daemon cycles) or the GUI control panel. If using the latter, uncheck SSH, save, check SSH.
Thanks!
ReplyDeleteSaved my day and my critical backup
Best regards from Denmark
Lars
Great post, but when I add them to the sshd_config ( below all the lines ) my SSHD can't start
ReplyDeleteDS1812> synoservicectl --restart sshd
sshd failed to restart... error unknow [0x0000 (null):0]
Found it !
Deletenot below all lines but between de lines :-) THX great post.
You saved my day
ReplyDeleteVery clever
Great
ReplyDeleteWorked for me
But still issue with veeam
No offloading to the CPU of the Synology like it used too.
I made the mistake to update python ... I think there is an issue like that
Python isn't used by Veeam, it's all Perl. Not sure which offload you're wanting; maybe you intend it to be a backup proxy in addition to being a repository?
DeleteThis did not work. I cannot start ssh after I edit my sshd_config.
ReplyDeleteIf it works by you, can you send me your full sshd_config?
Today I wrote to the Software enginer of Synology between this Problem.
Synology Support Veeam till 5.0
https://www.synology.com/de-de/knowledgebase/faq/352
Updated post with tips for sshd_config. The only changes from the default is there in those two lines.
DeleteWorked great, thanks so much.
ReplyDeleteAdd lines anywhere in config file and make sure to restart your SSH service folks.
Ok,
ReplyDeletenow it works... I have to use not the last Lines in the sshd_config
# obsoletes QuietMode and FascistLogging
SyslogFacility USER
LogLevel DEBUG
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp -f DAEMON -u 000
# the following are HPN related configuration options
# tcp receive buffer polling. disable in non autotuning kernels
#TcpRcvBufPoll yes
# disable hpn performance boosts
#HPNDisabled no
# buffer size for hpn to non-hpn connections
#HPNBufferSize 2048
# allow the use of the none cipher
#NoneEnabled no
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match User root
AllowTcpForwarding yes
Putting the KexAlgorithms line in at the ***end*** of the file resulted in the error
ReplyDelete"sshd failed to restart... error unknow [0x0000 (null):0]"
When I ran /usr/bin/sshd to start the daemon interactively it spat out:
"/etc/ssh/sshd_config line 151: Directive 'KexAlgorithms' is not allowed within a Match block"
So, as someone pointed out earlier, move the line up somewhere else in the file and it should work - I put it up near the top.
when i ssh using putting and try to edit the file using the root and admin account, it get permission denied!
ReplyDeleteCan you please help.
Using root account, you might need to change the permissions (chmod) to make it writeable, but *I* didn't have to. Admin account needs 'sudo' unless permissions are open wider than usual.
DeleteThank you for saving my sanity.
ReplyDeleteYou sir are awesome! I certainly did not have the energy to dive that deep into this issue this morning. But a couple of lines added to the right file as you instruct, and problem solved. I am however disappointed that a simple DSM update caused such a headache.
ReplyDeleteWow, this is what I would call a "job well done"! This fixed it for me. Thank you very much for getting to the bottom of the problem AND providing a quick fix that everybody should be able to perform. First time I've ever been disappointed by Synology for causing such troubles with a simple update and, even worse, denying they caused the problem and not providing us with a solution.
ReplyDeleteSecond time I have had to resource this post. DSM 5.1-1021 broke Veame again. Many, many thanks for the write up!
ReplyDeleteawesome stuff... thanks so much.. now back to a faster speed with NFS ;)
ReplyDeleteThank you very much, I had this error as well ("server does not support diffie-hellman-group1-sha1") after a recent firmware update on our QNAP Nas, and your modifications in sshd_config fixed this problem.
ReplyDeleteThanks for psoting this. Had some problems with my QNAP and your post resolved my errors.
ReplyDeleteWorked for me. Thank you.
ReplyDeleteLifesaver! Fixed our QNAP issue with Veeam 8.0.
ReplyDeleteThanks a lot. You saved my time :)
ReplyDeleteI have the synology ds2415 installed DSM 5.1-5022 Update 4 and Veeams 8, getting same error.
ReplyDeleteTried to edit the sshd_config fie but it does not let me.. do I need to login as root .
have tried commands sudo , su - admin ,
new to linix, how can I edit the file in the thermal: vi sshd_config
thanks
Same workaround used for do Backup from Cisco Unified Callmanager. Helped a lot, thank you very much.
ReplyDeleteThe gui has a built in option to do this now. I the screen where you enable/disable SSH, click the "Advanced settings" button, and select "low".
ReplyDeleteI'm on DSM 5.2-5592
It worked!Thanks a lot~
ReplyDeleteIn DSM 5.2 you can choose the ciphers KEX and MAC in web GUI under Customize in ssh screen.
ReplyDeleteI also noticed that in DSM 5.2 none of the restarting of sssh mentioned above works. The only way was:
kill -1
This forced sshd to reload the config and even not to drop active ssh connections (like the terminal you typed that command in.
Here is the example how to find the PID of sshd and command to force sshd to reload the config:
DSM> ps w | grep ssh
19982 root 16836 S /usr/bin/sshd
22228 root 54632 S sshd: root@pts/1
22253 root 3768 S grep ssh
DSM> kill -1 19982
It is a great website.. The Design looks very good.. Keep working like that!. SubZero, Viking, Scotsman Ice Maker Repair in SANTA MONICA
ReplyDeleteThe very first thing you must do before hiring an appliance repair company is to evaluate the problem thoroughly. Licensed Sub Zero Appliance Repair Service Center
ReplyDeleteProgramming devices are utilized in pretty much every cellular phone repair focus. Handy reparatur
ReplyDeleteIn conclusion, if the split is a pressure split, implying that it created without an outside break, at that point either your windshield is damaged or your vehicle outline has by one way or another distorted that an anomalous pressure design is applied on the windshield. for more information
ReplyDeleteAfter going over a handful of the blog articles on your site, I honestly appreciate your technique of blogging. best online grocery store in dubai I saved as a favorite it to my bookmark site list and will be checking back in the near future. Please check out my website too and tell me your opinion.
ReplyDeleteIs your fridge’s temperature off? Is your oven not cooking your meals properly? Is your dryer making strange, loud noises? No matter what issue you are experiencing with your household appliances (such as your fridge, stove, oven, washer, dryer, dishwasher, freezer), you need to know that you can rely on an appliance repair Vancouver company to provide quick and reliable repairs.fridge repair
ReplyDeleteImpressive!Thanks for the post
ReplyDeleteUsually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up.
ReplyDeleteThanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me. black satta king
ReplyDeleteSuperbly written article, if only all bloggers offered the same content as you, the internet would be a far better place.. black satta king
ReplyDeleteThere are several dissertation online websites on-line while you at the same time attain evidently maintained in your own web-site. poker terimleri
ReplyDeleteNice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. Weed For Sale
ReplyDeleteVery interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know. THC Cartridges For Sale
ReplyDeleteI am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post. Thanks for sharing. thc vape juice delivery
ReplyDeleteThis is a brilliant blog! I'm very happy with the comments!.. thc carts for sale bulk
ReplyDeleteI have a hard time describing my thoughts on content, but I really felt I should here. Your article is really great. I like the way you wrote this information. mail order weed online
ReplyDeleteI really like your writing style, great information, thankyou for posting. reliable mail order marijuana
ReplyDeleteThank you so much as you have been willing to share information with us. We will forever admire all you have done here because you have made my work as easy as ABC. dispensaries that ship
ReplyDeletehi was just seeing if you minded a comment. i like your website and the thme you picked is super. I will be back. Mail Order Marijuana
ReplyDeleteI think that thanks for the valuabe information and insights you have so provided here. thc oil cartridges shipped anywhere
ReplyDeleteWow, cool post. I’d like to write like this too – taking time and real hard work to make a great article… but I put things off too much and never seem to get started. Thanks though. Weed For Sale Online
ReplyDeleteThat is the excellent mindset, nonetheless is just not help to make every sence whatsoever preaching about that mather. Virtually any method many thanks in addition to i had endeavor to promote your own article in to delicius nevertheless it is apparently a dilemma using your information sites can you please recheck the idea. thanks once more. 420 Mail Order
ReplyDeleteWow, What an Outstanding post. I found this too much informatics. It is what I was seeking for. I would like to recommend you that please keep sharing such type of info.If possible, Thanks. legit online dispensaries ship all 50 states
ReplyDeleteI really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people. cheap thc carts
ReplyDeleteI got too much interesting stuff on your blog. I guess I am not the only one having all the enjoyment here! Keep up the good work. Buy Weed Online
ReplyDeleteThis is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you. yabancı bahis siteleri
ReplyDeleteNice knowledge gaining article. This post is really the best on this valuable topic. bahis siteleri
ReplyDeleteNice to read your article! I am looking forward to sharing your adventures and experiences. toppe ricamate
ReplyDeleteI appreciated your work very thanks perdite impianto
ReplyDeleteI learn some new stuff from it too, thanks for sharing your information. palmsbet
ReplyDeleteI'm glad to see the great detail here!. betson10
ReplyDeleteThe whole characteristic cycle of your brain work is lost into another domain. It is imperative to initially comprehend the brain so it would empower us to comprehend the disadvantages of a brain injury. Facts
ReplyDeleteMy brand name was deemed catchy because of the help brought to me by taking this online course. Thank you, Alexandra for the very informative session in getting my brand name professionally done. Samsung repair iPad repair
ReplyDeleteIf your clothes are taking forever to dry, or your dryer is making odd noises, then you need to intervene. Let Doctor Appliance's skilled and efficient technicians handle the issue for you. Their personalized appliance repair specialists will fix it immediately! For all dryer repair needs in the city of Ottawa, trust Doctor Appliance
ReplyDeleteTo find legal medical marijuana dispensaries in Colorado, here are some steps you can follow: craft canabis
ReplyDeleteDo you need Personal Loan?
ReplyDeleteBusiness Cash Loan?
Unsecured Loan
Fast and Simple Loan?
Quick Application Process?
Approvals within 24-72 Hours?
No Hidden Fees Loan?
Funding in less than 1 Week?
Get unsecured working capital?
Email:lee944418@gmail.com
Application Form:
=================
Full Name:................
Loan Amount Needed:.
Purpose of loan:.......
Loan Duration:..
Gender:.............
Marital status:....
Location:..........
Home Address:..
City:............
Country:......
Phone:..........
Mobile / Cell:....
Occupation:......
Monthly Income:....
Cocaine for sale, iѕ a ѕtimulаnt drug dеrivеd frоm соса рlаnt lеаvеѕ. It еnhаnсеѕ thе еffесtѕ оf a brаin сhеmiсаl саllеd dораminе, lеаding tо a ѕеnѕе оf inсrеаѕеd еnеrgу аnd роwеr. Thе inсrеаѕеd imрасt оf dораminе аlѕо саuѕеѕ thе еuрhоriс аnd рlеаѕurаblе ѕеnѕаtiоn оf a “high” оn сосаinе. Cocaine for sale, Buy Cocaine Online, cocain for sale, crack cocaine for sale, buying cocaine online, how to buy cocaine online, order cocaine online, how to buy cocain
ReplyDelete