Error creating new SSH deployment target


I’m migrating an existing Octopus Deploy setup into a new environment. I’ve done the initial setup and import of data. Now I am trying to setup the new deployment targets for the new environment.

I try setting up a new SSH target and can’t reach it. When I try the automatic setup, I don’t get past the first screen (auto detect fails), if I try manually, I get the error “Failed to negotiate key exchange algorithm”.
I have verified that this machine is reachable from the Octopus server (I can connect via Putty) and the key is correct. What am I missing? Is there anything else I need to open up in the security for that server?


Hi Jeremy!

Welcome to the Octopus community.

Sorry to hear about the issue you are experiencing with your SSH connection.

There shouldn’t be any extra security that needs opening for Octopus to connect.

Could you please confirm for me that the key, user, and port you are trying to connect through Octopus is the same that works correctly in Putty?

Also, if you haven’t seen it already, we have a list of requirements in our documentation for Octopus to connect to an SSH target successfully. Would you mind going through this and just double-checking those requirements against your target?

Should all the above be in line with what you expect, please get back to us, and we can investigate further for you!

Kind Regards

Thanks for the reply. We did further investigation on the box and found the following restrictions in sshd_config. Removing these restrictions allowed us to connect.

KexAlgorithms diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Ciphers aes192-ctr,aes256-ctr
MACs hmac-sha2-256,hmac-sha2-512

Rather than remove all restrictions do you know what else we should add?


Hi Jeremy,

Glad to hear removing these restrictions has temporarily solved your issue.

I will have to ask internally to see what exact cryptography policies we use in our SSH connection, so I will get back to you as soon as I receive an answer on this!

In the meantime, if you should need any other assistance with your SSH deployment or any other issues, please let us know.

Kind Regards,

Hi Jeremy,

I’ve asked internally, and we don’t have any specific cipher policies for our SSH connections set into Octopus.

I suspect it may be a mismatch in Octopus server OS and SSH target TLS/Cipher settings.
It could be that your Octopus server does not have the same restrictions that your SSH target has.

Could you possibly check and see if any of the restrictions you recently removed on your target do not exist on the machine you are connecting from?

If you do not already have this, we suggest using the IISCrypto tool to check on Windows machines.

Please let us know if you require any other assistance, and we would be happy to help.

Kind Regards,

Hi, again Jeremy,

I have managed to get the library we use to connect via SSH, which has a list of encryption methods we support. You can see them inside the read me on the GitHub page.

I’m hoping this helps even further. Please let me know if you need help with anything else!

Kind Regards,

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.