After upgrading Netscaler Console (aka. ADM) from earlier versions to either 13.1-53.17 (or 53.22 refresh build ) or 14.1-25.53, certain tasks (like re-creating HA deployment, Netscaler backup , or other tasks involving SSH connection) may fail and manifest in error popup or log entries (in /var/mps/log/mps_config.log)

"SSH Key Setup failed for x.x.x.x wiht msg SCP: Failure establishing SSH session, ErrorCode = -5"


/var/log/auth.log (on Netscaler Console/ SVM, depending on the implementation)  may contain following log entries:
Jun 18 10:14:21 <auth.info> hostname sshd[82242]: Unable to negotiate with 10.x.x.x.x port 49993: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss

Update: 
Similar situation may be observed if just SDX gets upgraded to mentioned builds and its  /mpsconfig/sshd_config file does not have proper entries.

Fix Method 1

1) replace that line with: 
HostKey /mpsconfig/ssh/ssh_host_ecdsa_key

so file contains the following:

HostKey /mpsconfig/ssh/ssh_host_rsa_key
HostKey /mpsconfig/ssh/ssh_host_ecdsa_key

2)  Restart sshd process 
a) # ps -auxww | grep ssh
b) # kill -HUP PID   (PID from output a.)
 

Fix Method 2

Remove (or rename) /mpsconfig/sshd_config file and reboot the appliance

Update: permanent fix (under issue ID#NSHELP-38109) available in 
Netscaler Console: 14.1-25.54 , 13.1-53.23
Netscaler SDX: 14.1-25.53 , 13.1-53.23


 

---

Problem Cause

With both releases 13.1-53.17 MR and 14.1-25.53 FR - there has been an upgrade done to OpenSSH version 9.x (ref. NSPLAT-29640)
In order for SSH handshake to be successful negotiation takes place with the use of ecdsa keys, but the sshd_config is not updated to use them.
In vast majority of situations as to why installer does not update the content of sshd_config file are the customizations done earlier by the ADM/NS/SDX admin.