Avamar: Data Domain Integration: SSH Cipher Suite compatibility

Summary: Avamar and Data Domain Integration: SSH Cipher Suite compatibility issues may arise from changing the SSH server cipher suites that Data Domain supports.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Check out other resources

Symptoms

Cipher suites are changed or upgraded on Data Domain (DD or DDR). Avamar is no longer able to log in to the Data Domain using password-less authentication.

Avamar logs in to the Data Domain using Data Domain's public key in order to exchange certificates when session security features are enabled.

The DDR key is also used to update Data Domain in the Avamar Web User Interface (AUI) and Java UI.

There is an article that explains how to change the Data Domain SSH cipher suites and hmacs: How to tune supported ciphers and hashing algorithms for the SSH server in DDOS

Symptoms may result in the following error in the Avamar UI:

Failed to import host or ca automatically

This prevents the exchange of certificates between Avamar and Data Domain over SSH connections.

Cause

From the contents of the following article How to tune supported ciphers and hashing algorithms for the SSH server in DDOS (symptoms section):

Cipher suites are changed on the DD SSH Server:

ddboost@datadomain# adminaccess ssh option show

Option            Value
---------------   ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
session-timeout   default (infinite)
server-port       default (22)
ciphers           aes128-cbc,chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
macs              hmac-sha1,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

ddboost@datadomain# adminaccess ssh option set ciphers "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com"

Adminaccess ssh option "ciphers" set to "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com".

ddboost@datadomain# adminaccess ssh option set macs "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"

Adminaccess ssh option "macs" set to "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256".

ddboost@datadomain# adminaccess ssh option show

Option            Value
---------------   ---------------------------------------------------------------------------------------
session-timeout   default (infinite)
server-port       default (22)
ciphers           chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
macs              hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

This change breaks the ability to SSH with the DDR public key from Avamar to Data Domain.

This is because the Avamar SSH Client no longer shares a cipher suite with the Data Domain SSH Server:

root@avamar:/etc/ssh/#: ssh -i ~admin/.ssh/ddr_key ddboost@datadomain.company.com

Unable to negotiate with 10.11.12.13 port 22: no matching cipher found. Their offer: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

Resolution

Once SSH cipher suites are updated on Data Domain, the cipher suites on the Avamar SSH client side must be updated to match:

1. List the current Avamar SSH Client cipher suites:

root@avamar:/etc/ssh/#: grep Ciphers /etc/ssh/ssh_config | grep -v "#"

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

2. Edit the ssh_config file:

root@avamar:/etc/ssh/#: vi /etc/ssh/ssh_config

3. Change the last line of the file with the list of Ciphers to include the new ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com

4. After editing the last line of the file, it should look like the following:

root@avamar:/etc/ssh/#: grep Ciphers /etc/ssh/ssh_config | grep -v "#"

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

5. Test the SSH cipher suite compatibility using the DDR public key to log in to Data Domain with public key authentication:

root@avamar:/etc/ssh/#: ssh -i ~admin/.ssh/ddr_key ddboost@datadomain.compnay.com

Data Domain OS
Last login: Tue Sep 13 10:32:07 EDT 2022 from 10.11.12.13 on pts/1
Welcome to Data Domain OS 6.2.0.30-629757
-----------------------------------------
**
** NOTICE: There are 5 outstanding alerts. Run "alerts show current"
**         to display outstanding alert(s).
**

Affected Products

Avamar

Article Number: 000203343

Article Type: Solution

Last Modified: 20 Oct 2025

Version: 5

Check if your device is covered by Support Services.

Avamar: Data Domain Integration: SSH Cipher Suite compatibility

Summary: Avamar and Data Domain Integration: SSH Cipher Suite compatibility issues may arise from changing the SSH server cipher suites that Data Domain supports.

Symptoms

Cause

Resolution

Affected Products

Article Properties

Find answers to your questions from other Dell users

Support Services

Article Properties

Find answers to your questions from other Dell users

Support Services

Avamar: Data Domain Integration: SSH Cipher Suite compatibility

Summary: Avamar and Data Domain Integration: SSH Cipher Suite compatibility issues may arise from changing the SSH server cipher suites that Data Domain supports.

Detailed Article

Symptoms

Cause

Resolution

Affected Products

Symptoms

Cause

Resolution

Affected Products

Article Properties

Find answers to your questions from other Dell users

Support Services

Article Properties

Find answers to your questions from other Dell users

Support Services