Key exchange was not finished, connection is closed with ganymed-ssh-2 and Cisco Confd

Question

I am using JNC 1.0 & ganymed-ssh-2 v262 to establish a Netconf session over SSH to a Cisco Confd node and getting the following error. What could be the reason?

java.io.IOException: Key exchange was not finished, connection is closed. at ch.ethz.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:75) at ch.ethz.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:169) at ch.ethz.ssh2.Connection.connect(Connection.java:759) at com.tailf.jnc.SSHConnection.(Unknown Source) at com.tailf.jnc.Device.connect(Unknown Source) at com.tailf.jnc.Device.connect(Unknown Source) .... java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165) Caused by: java.io.IOException: Cannot negotiate, proposals do not match. at ch.ethz.ssh2.transport.ClientKexManager.handleMessage(ClientKexManager.java:123) at ch.ethz.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:572) at ch.ethz.ssh2.transport.TransportManager$1.run(TransportManager.java:261) at java.base/java.lang.Thread.run(Thread.java:833)

Answer 1

the SSH hostkey were not matching in confd. we copied the keys again and then it started to work

cp -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub /opt/confd/etc/confd/ssh

Answer 2

java.io.IOException: Key exchange was not finished, connection is closed.

...
...

Caused by: java.io.IOException: Cannot negotiate, proposals do not match.

It means that there is a mismatch between the supported key exchange algorithms on the client and those supported by the server.

I'd advice to update ganymed-ssh-2 to v263. Apparently the latest version has added support for the following kex algorithms:

diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512

You can check what the server supports by using ssh's debug flag on a terminal:

ssh -vvv user@host