This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Net::SSH::Exception : could not settle on host_key algorithm

Posted on 04-02-2025 05:00 PM
TC-rOrtega
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi we are having issues connecting to SFTP from Looker 23.2.24.

The issue started recently, we are seeing the following error in logs and in Looker UI:
Net::SSH::Exception : could not settle on host_key algorithm

Our guess is that the SFTP change its cipher suits, our questions is do we need to upgrade Looker in order to have the newest cipher suites? there is a another way to update cipher suits for Looker?

Connecting from terminal works using aes128-ctr MAC: hmac-sha2-256

penSSH_7.6p1 Ubuntu-4ubuntu0.7+esm3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 4: Applying options for *
debug1: Connecting to <REMOVED> [170.134.213.24] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ssm-user/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7+esm3
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9
debug1: match: OpenSSH_9.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to <REMOVED>:22 as 'stats@<REMOVED>'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:7gpLBzuLHnS7xwwp/LTZA41njggsYSh94BdTONFRPkw
debug1: Host '<REMOVED>' is known and matches the ECDSA host key.
debug1: Found key in /home/ssm-user/.ssh/known_hosts:1
debug1: resetting send seqnr 3
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug1: kex_input_ext_info: ping@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
0 3 250
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
TC-rOrtega
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We jut realized Looker has a limited number of supported algorithms for SFTP. And our SFTP requires a host key algorithm not in the list.

Key exchange algorithms:

  • diffie-hellman-group-exchange-sha1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha256

Host key algorithms:

  • ssh-rsa
  • ssh-dss
  • ssh-rsa-cert-v01@openssh.com
  • ssh-rsa-cert-v00@openssh.com


Do you know if there are plans to support additional host key algorithms? thanks

0 Likes

Posted on --/--/---- --:-- AM
Matthew_Burlew
Bronze 4
Bronze 4
In response to TC-rOrtega
Reply posted on --/--/---- --:-- AM

We are having the same issue, and getting feedback that the algorithm list is outdated (and comments of surprise that Google would allow this).  If this could be updated soon that would really help us.

0 Likes

Posted on --/--/---- --:-- AM
TC-rOrtega
Bronze 1
Bronze 1
In response to Matthew_Burlew
Reply posted on --/--/---- --:-- AM

Hi Matthew we reached to Looker support, but they ask us to raise a feature request.
Looks like more algorithms will not be added soon, maybe SFTP deliveries will be removed in the future  🤔

We pivoted to use S3 and trigger with other AWS features to trigger some code that sends the report.

0 Likes
Top Labels in this Space
Top Solution Authors
View all