Pivotal Knowledge Base


gpssh-exkeys and gpseginstall Fail when Installing on RHEL 7.4 with FIPS Enabled


  • Pivotal Greenplum Database 5.0 (other versions potentially affected)
  • Red Hat Enterprise Linux (RHEL) 7.4
  • FIPS mode enabled 
  • Older SSH key exchange algorithms (sha-1) disabled 


When attempting to use the tools `gpssh-exkeys` or `gpseginstall`, the key exchange fails with the following error and repeatedly requests a password:

Incompatible ssh peer (no acceptable kex algorithm)

Error Message:

[root@master ~]# gpssh-exkeys -f hostfile_exkeys
[STEP 1 of 5] create local ID and authorize on local host
  ... /root/.ssh/id_rsa file exists ... key generation skipped

[STEP 2 of 5] keyscan all hosts and update known_hosts file

[STEP 3 of 5] authorize current user on remote hosts
  ... send to node1
  *** Enter password for node1:
[ERROR node1] Incompatible ssh peer (no acceptable kex algorithm)
  *** Enter password for node1:


The Greenplum management tool suite used an older version of the Python Paramiko libraries which did not support newer ssh key exchange algorithms. When the older key exchange algorithms are disabled on a server that is FIPS complaint, the key exchange mediated by the Greenplum tools will fail.


This issue should be resolved in Greenplum versions 5.6.1 and 4.3.24, as seen in the release notes here:


5.6.1: https://gpdb.docs.pivotal.io/560/relnotes/GPDB_561_README.html#topic_jww_p5n_scb

4.3.24: https://gpdb.docs.pivotal.io/43240/relnotes/GPDB_43240_README.html#topic_gj5_wmj_hdb



As the keys only need to be shared once, and as the gpseginstall tool and gpssh-exkeys will skip any previously shared keys, a workaround is as follows:

1. With FIPS enabled, use ssh-copy-id to copy SSH keys which have been generated using ssh-genkey

2. Disable FIPS, or add the following kex algorithms to /etc/ssh/sshd_config and reload sshd:


3. Complete the installation of gpdb using gpseginstall

4. At this point, the keys are already exchanged, and they will not need to be exchanged again unless you add another Node to the cluster.

5. Thus, you can re-enable FIPS to be fully compliant by removing the additional kex algorithms in /etc/ssh/sshd_config - the SSH keys which do not require password authentication are in place, and the kex algorithm is no longer relevant, as keys do not need to be re-shared.



Powered by Zendesk