D.2 Test Credentials or Discovery Fails with Access Denied Error

Issue: Test Credentials, Add workload, or Discover workload actions for a source Linux workload fails with the following error:

Access denied. The root credentials provided cannot be used to connect to the server <source-Linux-workload-IP-address>. Please ensure that the password is correct, and that root has not been blocked from using SSH.

Workaround: Access can be denied for SSH connections if the key algorithm or ciphers settings in the /etc/ssh/sshd_config file on the source Linux workload are missing or are incompatible with the settings used by Migrate server.

  1. Verify the following are working correctly:

    • You correctly specified the source Linux workload’s IP address, user name, and password.

    • On the source Linux workload, the SSH service is enabled and running; and the firewall (if any) allows inbound SSH traffic on TCP port 22.

    • You can log in successfully to this Linux Workload as root user from a remote machine using an SSH client such as Putty.

  2. On the source Linux workload, log in as the root user, then view the log file (/var/log/messages) or check the status of the SSH daemon (systemctl status sshd) to search for error messages for the Migrate server IP address.

  3. Error: No matching key exchange method found.

    <timestamp> xxx-<hostname>-xxx sshd[4849]: fatal: Unable to negotiate with <Migrate-server-IP-address> port 64713: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]

    Solution:

    1. Open the /etc/ssh/sshd_config file in a text editor, add the following line, the save the file.

      KexAlgorithms +diffie-hellman-group1-sha1

    2. Restart the SSH service. At a command prompt, enter

      systemctl restart sshd

  4. Error: No matching cipher found.

    <timestamp> xxx-<hostname>-xxx sshd[5063]: fatal: Unable to negotiate with <Migrate-server-IP-address> port 64776: no matching cipher found. Their offer: aes128-cbc,aes256-cbc,serpent192-cbc,twofish256-cbc,twofish192-cbc,twofish128-cbc,3des-cbc,cast128-cbc,aes192-cbc,serpent128-cbc,blowfish-cbc,serpent256-cbc [preauth]

    Solution:

    1. Open the /etc/ssh/sshd_config file in a text editor, add the following line, the save the file.

      Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

    2. Restart the SSH service. At a command prompt, enter

      systemctl restart sshd

  5. Add or discover the source Linux workload again.

    1. Verify that Test Credential is successful.

    2. Verify that the workload is added successfully.

See also the following related KB Articles: